The Austin Active Directory schema has been extended with the utexasEduAustinAuxClass and utexasEduAzureAuxClass auxiliary classes. These auxiliary classes add additional attributes to existing classes and allow additional information to be stored on objects in the Austin Active Directory. The attribute permission groups enable granular access to the attributes with easy to read group names.
Each attribute permission group follows the [auxiliary-class-type]-[short-object-type]-[short-attribute-name]-[permission-code] pattern. The pattern is comprised of the following components:
- [auxiliary-class-type] - AUSTIN for attributes in the utexasEduAustinAuxClass and AZURE for attributes in the utexasEduAzureAuxClass
- [short-object-type] - the shortened name of the object that the attribute permission group applies to (ex. User, Group, Computer, OU)
- [short-attribute-name] - the shortened name of the attribute that the attribute permission group applies to (ex. Single1, Multi2, Bool3, Time4)
- [permission-code] - the letter of the permission code for the permissions granted to the attribute permission group (see below)
Permission Code
The following are the current permission codes:
| Code | Label | Rights |
|---|---|---|
| A | Access | Read permissions on the attribute |
| B | Blockable | Read permissions on the attribute; may be limited by record restrictions |
| C | Change | Read and write permissions on the attribute |
The following the proposed permission codes:
| Code | Label | Rights |
|---|---|---|
| P | Peruse | Read permission on the attribute; may be limited by record restrictions |
| R | Read | Read permission on the attribute |
| W | Write | Read and write permissions on the attribute |
Example attribute permission groups
The current permission codes would result in the following example attribute permission groups:
- AUSTIN-User-Single11-A - the members are allowed to read the utexasEduAustinSingle11 attribute on users
- AUSTIN-OU-Multi12-C - the members are allowed to read and write the utexasEduAustinMulti12 attribute on OUs
Script for assigning permissions to Attribute Permission Groups
In order to reduce the size of the ACL, only set an ACE for groups where that access type has been requested.
For example, if there is a request to read an attribute, but no request to write it as well, only set the ACE for the appropriate -A group. Do not set an ACE for the -C group as well if write access is not requested.
| Name | Add-Attribute-ACE.ps1 |
|---|---|
| Location | \\aad-share-p01.austin.utexas.edu\Shares\Scripts\Permissions |
| Variables | $ad_container - String containing the FQDN of the container to be updated For user attributes, this will be "OU=People,DC=austin,DC=utexas,DC=edu" in AUSTIN |
$ad_group - String containing the name of the attribute group Example: AUSTIN-User-Single1-A, AUSTIN-User-Single1-B, AUSTIN-User-Single1-C | |
| Parameter | Write - Boolean containing the state of the script (write the ACE or not) This variable must be True in order to write the ACE. |