Overview

PFA will allow department administrators to use Active Directory attributes to apply permissions to objects. Initial implementation is focused on 

Parameters

1. Define <report-attribute> for results
   • utexasEduAustinMultiX
2. Define <action-attribute> for query
   • utexasEduAustinBool1
3. Define <permission-attribute> for query
   • utexasEduAustinSingle1
   • Value must be one of the existing Delegation values
4. Define <target-attribute> for query
   
   • managedBy
   • Target of delegation
5. Define <object-class> for query
   • organizationalUnit
6. Define <container> as search base for query
   • OU=Departments,<domainDnsRoot>

Pseudo-code

1. Query for <object-class> in <container> where:
   1. <action-attribute> is true
   2. <permission-attribute> has a value
   3. <target-attribute> has a value
2. For each object found in previous step...
   
   1. Grant <permission-attribute> delegation to <target-attribute> principal
   2. Write <report-attribute> with "<timestamp>;<delegation>;<managedBy>"
   3. Clear <action-attribute> and <permission-attribute>
3. Create scheduled task on ADFS servers to perform query every hour
   1. Run as dedicated GMSA
      1. All permissions actions taken by known account
      2. Password of account managed by domain
   2. Leverage HostCheck
      1. Avoid duplication of work

Expansion options

• Set <action-attribute> to false to remove a delegation
• Allow <permission-attribute> to be SDDL
  • SDDL must be checked for prohibited permissions
• Add Reset as a delegation to reset permissions on an OU
  • Ensure that <DEPT>-Permissions are restored after a reset on a department root.