2.7.1.3 Modify a Directory Object - Client Application

  • Article

A common activity for an administrator is to modify objects. Timely updates on these directory objects ensure that the data in the system is current, which enables the Active Directory system to function correctly. To achieve this, the administrator launches the client application to interact with the Active Directory system. The client application establishes a connection to the Active Directory system. The administrator uses the client application to modify an existing directory object.

Goal

Modify a directory object in the Active Directory system.

Context of Use

An administrator wants to modify attributes of existing directory objects.

Use case diagram for modifying a directory object

Figure 9: Use case diagram for modifying a directory object

Actors

  • Client application

    The client application is the primary actor. It is the entity that prepares the connection to the directory server, submits the modification request, and relays the response to the administrator.

  • Windows Authentication Services

    Windows Authentication Services [MS-AUTHSOD] is the supporting actor that authenticates the administrator's identity. This is done so that access control decisions can be made by the Active Directory system.

  • Directory server

    The directory server is the supporting actor that receives the modification request and modifies the directory object.

Stakeholders

  • Administrator

    The administrator initiates operations such as create, search, modify, and delete on the application directory object. The administrator primarily wants to receive information that the operations are successfully completed or receive an error message if they failed.

  • Directory

    The directory is the entity that contains the object that is being modified.

Preconditions

  • The system-wide preconditions, as described in section 2.6, are satisfied. The Active Directory system completes initialization, as described in section 2.6.

  • The client application has access to a directory server to which it can establish a connection, if it is not already connected, and send the request.

  • The directory object to be modified exists in the Active Directory system.

Main Success Scenario

  1. Trigger: To initiate the modify operation, the administrator provides the name of the directory object to modify as input to the client application, along with credentials. The information provided by the administrator includes the attribute(s) being modified on the object and the list of modifications to be made to those attributes.

  2. The client application establishes a connection to the directory server. Windows Authentication Services authenticates the client application using the supplied credentials ([MS-AUTHSOD] section 2).

  3. The client application sends a modify request to the directory server to make the appropriate modifications on the directory object.

  4. The directory server verifies that the credentials that are supplied through the client application have the necessary access-control rights to complete the operation ([MS-ADTS] section 5.1.3).

  5. The directory server modifies the object, as specified by the client application, and makes any additional modifications that are mandated by the server's processing rules and constraints ([MS-ADTS] sections 3.1.1.5.1, 3.1.1.5.3, and 3.1.1.5.4).

  6. The directory server sends a response to the client application that the modifications were successfully completed.

Postconditions:

The directory object is modified.

Extensions

  • There are multiple failure scenarios when the administrator modifies a directory object in the Active Directory system. The operation has to be validated against the server's processing rules and constraints, as described in [MS-ADTS] sections 3.1.1.5.1 and 3.1.1.5.3.