DRAFT
Overview
The Delegation Via Attributes process will allow departments to manage delegations in Austin Active Directory objects. This process is composed of the following parts: a delegation request, the requests attribute, the delegation process, a delegation result, and the results attribute. The delegation request is a JSON string that contains the required properties and values for the delegation. The JSON string is written to the requests attribute on a deparment's Administrative OU. The delegation process is an hourly process managed by the Active Directory team that interprets delegation requests. The delegation process will remove the original JSON string from the requests attributes on the department's Administrative OU and attempt to fulfill the delegation request. The delegation process will then add the output from the delegation process as a JSON string to the results attribute on the department's Administrative OU. Any errors encountered by the delegation process are reported in the delegation result.
Attributes
The values consume and generated by Delegation Via Attributes are stored on a department's Administrative OU object. A department's Administrative OU is contained under the Departments OU in the Administrative OU at the root of the domainFor example: "OU=TEST,OU=Departments,OU=Administrative,DC=austin,DC=utexas,DC=edu" would be the Administrative OU for the TEST department.
- The requests attribute is the utexasEduAustinMulti1 attribute on a department's Administrative OU. Department Owners can read and write to this attribute to submit a delegation request.
- The results attribute is the utexasEduAustinMulti2 attribute on a department's Administrative OU. Department Owners can read this attribute to review the results of delegation processing.
Delegation Request
Each delegation request is a JSON string that contains the following properties and values:
| Property | Value | Required | Notes |
|---|---|---|---|
| Timestamp | When to process the request | Yes | Must be a valid time value. Can be set for a future time to scheduled the request. |
| Action | Action for the request | Yes | Must be one of the following approved verbs: Add, Remove, Repalce, Clear |
| Path | OU targetted by the request | Yes | Must be an OU under the Department's OU. |
| Principal | AD group in the delegation | Yes | Must be either:
|
| Delegation | Permissions for request | Yes | Must be either:
|
| RequestedBy | EID submitting the request | Yes | Must be the EID submitting the request. Validated against the Department's Owners group. |
| RequestedFor | EID requesting the delegation | No | The EID who requested the delegation from the owner. Optional |
Delegation Results
Each delegation result is a JSON string that contains the following properties and values:
| Property | Value | Notes |
|---|---|---|
| Timestamp | When the request was processed | The time when the script processed the request. |
| Request | The original delegation request | The original JSON string from the request attribute |
| Success | True or False | True if the request was processed successfully. False otherwise. |
| Error | Present when Success is False | Contains the reason the request could not be processed as submitted. |