Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

DRAFT

Overview

PFA will allow department administrators to use Active Directory attributes to apply permissions to OU objects.

Parameters

  1. Define <report-attribute> for results
    • utexasEduAustinMultiX
  2. Define <action-attribute> for query
    • utexasEduAustinBool1
  3. Define <permission-attribute> for query
    • utexasEduAustinSingle1
    • Value must be one of the existing Delegation values
  4. Define <target-attribute> for query
    • managedBy
    • Target of delegation
  5. Define <object-class> for query
    • organizationalUnit
  6. Define <container> as search base for query
    • OU=Departments,<domainDnsRoot>

Pseudo-code

  1. Query for <object-class> in <container> where:
    1. <action-attribute> is true
    2. <permission-attribute> has a value
    3. <target-attribute> has a value
  2. For each object found in previous step...
    1. Grant <permission-attribute> delegation to <target-attribute> principal
    2. Write <report-attribute> with "<timestamp>;<delegation>;<managedBy>"
    3. Clear <action-attribute> and <permission-attribute>
  3. Create scheduled task to perform query every hour
    1. Run from ADFS servers
    2. Run as dedicated GMSA
    3. Leverage HostCheck
Expansion options
  • Set <action-attribute> to false to remove  a delegation
  • Allow <permission-attribute> to be SDDL for add/remove
    • SDDL must be checked for prohibited permissions
  • Add Reset as a delegation to reset permissions on an OU
    • Ensure that <DEPT>-Permissions are restored after a reset on a department root.


  • No labels

Confluence Documentation | Web Privacy Policy | Web Accessibility