Microsoft Training White Paper: Dynamic access Control: Beyond NTFS Permissions
Dynamic Access Control is a useful feature that could help you if you have ever had to jump through hoops to create security groups or folder hierarchies that allow you to control file system access in the way you want. You can start with the built-in Active Directory attributes, resource properties, and then you can create access control rules that meet your specific needs. The promise of the File Classification Infrastructure in 2009 has become a practical reality. It can be used to build almost any access control scheme that you can imagine.
Windows Server Dynamic Access Control allows you to manage document access in ways that go beyond the traditional NTFS file system permissions. Dynamic Access Control is a great tool for granting read-only access to files related to the Wind Turbine Project to Engineering department employees in Denver.
I. Overview of Dynamic Control
File Classification Infrastructure (FCI), is a tool that allows organizations to use (and make) file properties, file rules, and file management operations based upon those rules.
Administrators were granted access to FCI in Server 2008 R2 via a new node within the File Server Resource Manager FSRM (Classification Management). FCI was a new way to back up, secure, re-establish, archive, and report on files.
FCI felt a little stale when it was first introduced. While interesting conceptually, it was limited in its tools and application. Windows Server 2012 has brought classification management to a new level. It focuses on access control and gives it a new acronym: Dynamic Access Control (DAC).
This paper will show you the “nuts & bolts” of the subject by demonstrating a scenario.
The engineers in Denver are not working on my company’s Wind Turbine project anymore. I don’t want them to have the ability to modify project documents. They should just read them.
DAC allows me to do this without the need for security groups!
Two criteria can be used to restrict file access with NTFS permissions:
User identity (a capability that is rarely used in practice)
Membership in a security group
Group-based access control can be very useful, especially considering the administrative conveniences of nesting group within other groups (“roles groups” within “rules groups”), but sometimes organizations prefer to control file access based on other criteria such as department, location, project, etc. This may be a disadvantage for some organizations.
We have tried in the past to incorporate such criteria into security group architectures, with mixed results. Because these permissions are based on group and user identities, they don’t help much.
DAC offers new flexibility by leveraging the FCI concept.
FCI is used by DAC to control resource access and not just file management operations.
DAC leverages Active Directory user attributes and computer attributes, also known as “claims” in DAC context.
DAC allows us to create file attributes (classification properties in Server 2008 R2 lingo; “resource properties in DAC-speak”) of our own design or use the built-in ones provided by Microsoft.
DAC allows you to create custom rules and it uses Group Policy for making those rules available to all domains.
Lastly, DAC is a mechanism that provides useful information to users who are denied access based upon one or more of these rules.
DAC does not replace NTFS permissions and share permissions. It just provides another type access control. DAC is another hurdle that the user must overcome in order to access a file.
You can also use DAC with Windows security