myriAD

myriAD is a REST API for Microsoft Active Directory that provides a fully featured, RBAC-enabled JSON interface to AD.

Overview

The myriAD Active Directory REST API is designed to provide an interface to manage AD objects, and is suitable for integration in service oriented architectures (SOA), enterprise applications, support workflows, or basic utility scripts.

     Source Code     |     Current Release

AD Data Consumption Model

Accessing the AD objects comes under two options: 1) native object access, such as security principals, OUs, GPOs, etc., or 2) embedded workflow scripts.

Summary of Native Object Access for User Objects

  • Base URI: /myriad/user
  • Supports: Create, Update, Delete for User security principal objects, plus group membership updates.
  • DACL: self-update, inherited permissions.
  • Identified by Name, DistinguishedName, UserPrincipal, sAMAccountName, SId, or GUID
  • Example: HTTP GET
    • http://{host:port}/myriad/user/user0 (by Name)
    • http://{host:port}/myriad/user/CN=user0,OU=Synapse,DC=sandbox,DC=local (by DistinguishedName)
    • http://{host:port}/myriad/user/user1@sandbox.local (by UserPrincipalName)
    • http://{host:port}/myriad/user/user2 (by sAMAccountName)
    • http://{host:port}/myriad/user/S-1-5-21-4054027134-3251639354-3875066094-1659 (by SId)
    • http://{host:port}/myriad/user/545149c9-323a-4083-ad02-68022dd324b0 (by GUID)
    • JSON GET Response for User Object

Summary of Native Object Access for Group Objects

  • Base URI: /myriad/group
  • Supports: Create, Update, Delete for Group security principal objects, plus group membership updates.
  • DACL: ManagedBy, inherited permissions.
  • Identified by Name, DistinguishedName, sAMAccountName, SId, or GUID/li>
  • Example: HTTP GET
    • http://{host:port}/myriad/group/MyGroup (by Name)
    • http://{host:port}/myriad/group/CN=MyGroup,OU=Synapse,DC=sandbox,DC=local (by DistinguishedName)
    • http://{host:port}/myriad/group/MyGroupSam (by sAMAccountName)
    • http://{host:port}/myriad/group/S-1-5-21-4054027134-3251639354-3875066094-1660 (by SId)
    • http://{host:port}/myriad/group/e74156dd-6cbb-41bf-a31d-b1861fe04fe0 (by GUID)
    • JSON GET Response for Group Object

Summary of Native Object Access for Organization Unit (OU) Objects

  • Base URI: /myriad/ou
  • Supports: Create, Update, Delete for Organizational Unit objects
  • DACL: specified permissions, inherited permissions
  • Identified by Name, DistinguishedName, or GUID
  • Example: HTTP GET
    • http://{host:port}/myriad/ou/DeleteMe (by Name)
    • http://{host:port}/myriad/ou/ou=DeleteMe,ou=Synapse,dc=sandbox,dc=local (by DistinguishedName)
    • http://{host:port}/myriad/ou/faac53bd-e614-4b0e-9543-9a08d878fdaf (by GUID)
    • JSON GET Response for Organization Units (OU) Object

Embedded Workflows

The myriAD ADAPI is built on Synapse and supports embedding an entire workflow, which can be coded in a variety of languages. Embedded workflows are best used to support highly-repeatable, compound-functions with multiple AD-dependency steps.

Security Design

Best practice security implementation provides that objects are accessible under a discretionary access control list (DACL) model, meaning objects are directly permissioned with allowed security principals. This implies that any tooling of choice may be used to manipulate allowed objects; the ADAPI provides a data-driven implementation of convenience, and is guaranteed to meet implementation standards for audit, logging, etc. In an enterprise setting, a typical implementation would populate the DACL via an entitlements-based RBAC-grant process, where myriAD is participating in an SOA.

myriAD supports the DACL-based RBAC approach as described above, but also provides an interface for custom role providers via RoleManagers. Thus, if you don't want to use the built-in DaclRoleManager, you can implement your own security store to abstract AD object access permissions. Separately, embedded workflow scripts are serviced by the native myriAD (Synapse) RBAC and permmissioned accordingly. Typical implementation would be for dedicated requirements.

Technical Structure

Directory Services and LDAP Core Library

All technical capability is housed in a .NET library, which contains the POCOs, worker classes, and utility methods. Unit testing exercises these objects/classes. The REST API is a simple wrapper on the Directory Services/LDAP core lib - it provides the URI structure, JSON payloads/responses, and logging.