2.7.1.4 Delete a Directory Object - Client Application

An administrator can perform maintenance on an Active Directory system by removing objects that are no longer needed by the applications on the client. To achieve this, an administrator launches the client application to interact with the Active Directory system. The client application establishes a connection to the Active Directory system. The administrator performs a delete operation on an existing directory object (not a leaf object).

Goal

Delete a directory object from the Active Directory system.

Context of Use

An administrator wants to delete an existing directory object.

Use case diagram for deleting a directory object

Figure 10: Use case diagram for deleting a directory object

Supporting Actors

  • Client application

    The client application is the primary actor. It is the entity that prepares the connection to the directory server, submits the request to delete an object, and relays the response to the administrator.

  • Windows Authentication Services

    Windows Authentication Services [MS-AUTHSOD] is the supporting actor that authenticates the administrator's identity. This is done so that access control decisions can be made by the Active Directory system.

  • Directory server

    The directory server is the supporting actor that receives the deletion request and deletes the directory object.

Stakeholders

  • Administrator

    The administrator initiates operations on the application directory object such as create, search, modify, and delete. The administrator primarily wants to receive information that the operations are successfully completed or receive an error message if they failed.

  • Directory

    The directory is the entity that contains the object being deleted.

Preconditions

  • The system-wide preconditions, as described in section 2.6, are satisfied. The Active Directory system completes initialization, as described in section 2.6.

  • The client application has access to a directory server to which it can establish a connection, if it is not already connected, and send the request.

  • The directory object to be deleted exists in the Active Directory system.

Main Success Scenario

  1. Trigger: The administrator initiates the delete operation by providing the name of the directory object to delete to the Client Application with credentials. The administrator then selects the directory object to delete and submits the deletion request to the Active Directory system.

  2. The client application establishes a connection to the directory server. Windows Authentication Services authenticates the client application using the supplied credentials ([MS-AUTHSOD] section 2).

  3. The client application sends a delete request to the directory server to delete the specified directory object.

  4. The directory server verifies that the credentials supplied through the client application have the necessary access-control rights to complete the operation ([MS-ADTS] section 5.1.3).

  5. The directory server deletes the object that the client specified and makes any additional modifications that are mandated by the server's processing rules and constraints ([MS-ADTS] sections 3.1.1.5.1 and 3.1.1.5.5).

  6. The directory server sends a response to the client application that the deletion was successfully completed.

Postcondition

The directory object is no longer available.

Extensions

  • If the client application attempted to delete a non-leaf directory object:

    1-5. Same as Main Success Scenario

    6. The directory server sends a response to the client application that it cannot delete a non-leaf object ([MS-ADTS] section 3.1.1.5.5.5).

  • If the client application attempted to delete a directory object that is owned by the system ([MS-ADTS] section 3.1.1.5.5.3):

    1-5. Same as Main Success Scenario.

    6. The directory server sends a response to the client application that it cannot perform the operation.