The Requests By Attribute process (aka REBA) allows a department administrator to programmatically submit a request to the Active Directory team via an attribute on a department's administrative organizational unit (OU) object. This process is intended to reduce the need for department administrators to open tickets with the Active Directory team.
Process Overview
The requests attribute on a department's administrative OU functions as a queue and holds all pending requests for a department. A scheduled task runs a PowerShell script hourly that evaluates all pending requests in the requests attribute. The PowerShell script will then remove a pending request from the attribute and either perform the requested actions or deny the request. The PowerShell script will then post the results of the request to a separate attribute on the same administrative OU. The results attribute can be reviewed by department administrators to determine if the request was completed or denied. A denied request will include information about why the request was not performed.
Request Types
REBA is designed to be extensible and can support multiple request types. Each of the supported and planned request types are documented in their respective sections below. Examples of how to submit each request type and review results are included in the documentation for the respective request type.
Supported Request Types
The following requests types are currently supported by REBA:
- Delegation - Department administrators can manage permissions on organizational units within a department. This process has previously been available only via a ServiceNow request.
Planned Request Types
The following requests types are expected to be supported by REBA in the future:
- DNS - Department administrators can create and manage DNS records associated with the department. This process will be limited to DNS records that begin with a department prefix.
Submitting Requests
Requests are submitted by adding a correctly formatted JSON string to a multi-valued attribute on a department's administrative OU. This can be performed using any LDAPv3 compliant tools. The Active Directory teams provides full support for two methods to create and submit requests via REBA: the provided PowerShell scripts and the OpenLDAP tools. The Active Directory team provides best-effort support for all other methods.
PowerShell Scripts
The Active Directory team has created the following documentation for submitting requests and reviewing the results with PowerShell scripts:
OpenLDAP tools
The Active Directory team has created the following documentation for submitting requests and reviewing the results with OpenLDAP tools:
Questions
Please contact the Active Directory team via ServiceNow for any questions or assistance with this process.