The custom attribute permission groups need to address multiple items:
- Must use "ControlAccess" due to confidential attributes
- The standard No Access vs. Read vs. Write
- The ability to address record restrictions for future directory services work
Current proposal is AUSTIN-[short-object-type]-[short-attribute-name]-[permission-code]. The "short object type" is the shortened string of the AD object class (ex. User, OU, Computer, Group). The "short attribute name" is the AD attribute name less the "utexasEduAustin" prefix. The "permission code" is one of the following:
- A - Access - User is allowed to read the attribute but can be blocked by record restrictions
- B - Bypass - User is allowed to read the attribute regardless of record restrictions
- C - Change - User is allowed to read and write the attribute
This would create groups named as follows:
- AUSTIN-User-Single11-A - the members are allowed to read the utexasEduAustinSingle11 attribute on users
- AUSTIN-OU-Multi12-C - the members are allowed to read and write the utexasEduAustinMulti12 attribute on OUs
Record restrictions are handled by placing a deny directly on the user object for the appropriate Access group. Membership in the Access, Bypass, and Change groups must be exclusive to prevent conflicts.