Summary

The Request By Attribute process allows a department administrator to request protected actions in the Austin Active Directory by crafting the request as a JSON string then adding the request to an attribute on the department's Administrative organizational unit (OU).

Overview

The Request By Attribute process is comprised of the following parts: the request string, the requests attribute, the request script, the request task, the result string, the results attribute.

• The request string is a JSON string that contains the required properties and values for the request. A department administrator creates the JSON string manually or via a PowerShell script published by the Active Directory team.
• The requests attribute is a multi-valued attribute on a department's Administrative OU. A department administrator adds the request string to the requests attribute to submit the request. The attribute can contain multiple request strings.
• The request script is the PowerShell script that processes the requests and performs the requested actions. The request script removes the request string from the requests attribute when processing a request.
• The request task is the scheduled task that starts the request script every hour. The request task can be run manually by the Active Directory to expedite a request.
• The result string is a JSON string that contains the results of processing the request along with the original request string. The request process creates the result string and appends any errors encountered during processing to the result string.
• The results attribute is a multi-valued attribute on a department's Administrative OU. The request process adds the result string to the results attribute to report the outcome of the request to the department.

Organizational Units

The Request By Attribute process is centered around each department's Adminstrative OU. Each department in Active Directory has an Administrative OU that contains the resources managed by the Department User Tools such as department user accounts and the department's Department Adminstrators group.

• The distinguished name of the Administative OU for the EXAMPLE department would be: OU=EXAMPLE,OU=Departments,OU=Administrative,DC=austin,DC=utexas,DC=edu
• The name of the Department Administrators group for the EXAMPLE department would be: EXAMPLE-Administrators

Attributes

The Request By Attribute process leverages the requests attribute and results attribute on each department's Administrative OU object. The attributes are confidential and cannot be accessed by default.

• The requests attribute for a department is the utexasEduAustinMulti1 attribute on the department's Administrative OU. The members of the department's Department Administrators group can read and write the attribute to submit or cancel requests for processing.
• The results attribute for a department is the utexasEduAustinMulti2 attribute on the department's Administrative OU. The members of the department's Department Administrators group can read the attribute to review the results of any processed requests.

Request Types

The Request By Attribute process is designed to support different types of protected actions. Each protected action is defined as a request type and documented below. The supported requests are available for use and supported by the Active Directory team. The planned requests are in development and will be available at a future time. Departments can submit suggestions for additional request types to the Active Directory team via the UT Service Desk.

Supported requests

The Request By Attribute process currently supports the following request types:

• Delegations - Department administrators can request changes to permissions on organizational units within a department. This process has previously been available only via a ServiceNow request.

Planned requests

The Request By Attribute process is expected to support the following request types in the future:

• DNS - Department administrators can request simple changes to DNS records associated with the department. This process will be limited to DNS records that begin with a department prefix.

Scripts

The Active Directory team maintains a set of PowerShell scripts at https://github.austin.utexas.edu/eis1-aad/RequestsByAttribute to assist department administrators with this process.

The scripts below apply to all request types. See the pages above for the scripts specific to a request type.

• Get-ADRequests.ps1 - displays any outstanding requests for a department
• Get-ADResults.ps1 - displays any completed requests for a department
• Show-ADRequestValues.ps1 - displays the properties and values supported for each request type