View Source

DRAFT

Overview

The Delegation Via Attributes process will allow departments to manage delegations in Austin Active Directory objects. This process is composed of the following parts: the delegation request, the requests attribute, the delegation processing, and the results attribute. The delegation request is a JSON string that contains the required properties and values for the delegation. The JSON string is written to the requests attribute on a deparment's Administrative OU. The delegation processing is comprised of a PowerShell script and the scheduled tasks that run the PowerShell script every hour. The PowerShell script will remove the original JSON string from the requests attributes and write the output from delegation processing as a JSON string to the results attribute on the department's Administrative OU.

Attributes

The attributes used by Delegation Via Attributes are stored on a departemnt's Administrative OU object. A department's Administrative OU is contained under the Departments OU in the Administrative OU at the root of the domainFor example: "OU=TEST,OU=Departments,OU=Administrative,DC=austin,DC=utexas,DC=edu" would be the Administrative OU for the TEST department.

The requests attribute is the utexasEduAustinMulti1 attribute on a department's Administrative OU. Department Owners can read and write to this attribute to submit a delegation request.
The results attribute is the utexasEduAustinMulti2 attribute on a department's Administrative OU. Department Owners can read this attribute to review the results of delegation processing.

Delegation Request

Each delegation request is a JSON string that contains the following properties and values:

Property	Value	Required	Notes
Timestamp	When to process the request	Yes	Must be a valid time value. Can be set for a future time to scheduled the request.
Action	Action for the request	Yes	Must be one of the following approved verbs: Add, Remove, Repalce, Clear
Path	OU targetted by the request	Yes	Must be an OU under the Department's OU.
Principal	AD group in the delegation	Yes	Must be either: an Active Directory security group. * (asterisk) when Action is Clear.
Delegation	Permissions for request	Yes	Must be either: one of the standard delegations: <link to delegations page> * (asterisk) when Action is Clear.
RequestedBy	EID submitting the request	Yes	Must be the EID submitting the request. Validated against the Department's Owners group.
RequestedFor	EID requesting the delegation	No	The EID who requested the delegation from the owner. Optional

Delegation Results

Each delegation result is a JSON string that contains the following properties and values:

Property	Value	Notes
Timestamp	When the request was processed	The time when the script processed the request.
Request	The original delegation request	The original JSON string from the request attribute
Success	True or False	True if the request was processed successfully. False otherwise.
Error	Present when Success is False	Contains the reason the request could not be processed as submitted.