Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

DRAFT

Overview

DVA will allow department administrators to use Active Directory attributes to apply and remove delegations from objects.

Pseudo-code

  1. Define <report-attribute> for results
    • utexasEduAustinMultiX
  2. Define <action-attribute> for query
    • utexasEduAustinBool1
  3. Define <scope-attribute> for query
    • utexasEduAustinSingle1
    • Value must be one of the existing Delegation values
  4. Define <target-attribute> for query
    • managedBy
    • Target of delegation
  5. Define <object-class> for query
    • organizationalUnit
  6. Define <container> as search base for query
    • OU=Departments,<domainDnsRoot>
  7. Query for <object-class> in <container> where:
    1. <action-attribute> is true
    2. <scope-attribute> has a value
    3. <target-attribute> has a value
  8. For each object found in previous step...
    1. Grant <scope-attribute> delegation to <target-attribute> principal
    2. Write <report-attribute> with "<timestamp>;<delegation>;<managedBy>"
    3. Clear <action-attribute> and <scope-attribute>
Expansion options
  • Set <action-attribute> to false to remove  a delegation
  • Allow <scope-attribute> to be SDDL for add/remove
    • SDDL must be checked for prohibited permissions
  • Add Reset as a delegation to reset permissions on an OU
    • Ensure that <DEPT>-Permissions are restored after a reset on a department root.


  • No labels

Confluence Documentation | Web Privacy Policy | Web Accessibility