Phone  +49 89 215 442 400

Dynamic Access Control (DAC)

Dynamic Access Control (DAC) was introduced with Microsoft Windows Server 2012. It is a new approach to simplify the process of authorization assignment in large environments.

DAC established Business Rules as a central system of control. These rules define authorization claims of the users to resources (files / folders) based on the resources classification.

FirstAttribute supports you create an authorization concept with Dynamic Access Control. And also to meet the requirements for DAC.
We help you with

  • the preparation of your infrastructure
  • the standardization of your Active Directory data for the uniform claim definition
  • the establishment of centralized access rules and classification properties.


Dynamic Access Control - Permission Management

Initial Situation

The authorization assignment in large file systems is often organized through the use of resource and role groups. Here, a specific authorization (eg write) to a defined folder resource (eg accounting data) will be granted in each case. After that a role group is added to this group that summarizes all accounting employees. And thus it defines the role of "Accounting employee". Very important is a clean naming concept for the large number of groups that result from it.

This approach must be strictly adhered to. You will easily lose track of the effective rights if you don't take care of it.
In practice there is a number of challenges, which are often difficult to implement.

The administration of groups and permissions can be a significant amount of work for the help desk. It requires careful consultation with the data controller and the right holders. All authorization actions are performed directly on the file system or in groups.


The DAC approach

"Dynamic Access Contol" is here a new way of permission management. Rules are defined to link the claims to the data classifications. Based on that permissions to resources are assigned.


"If the department of a user (Active Directory - Department) is equal to the gleich der departmental classification of the source folder, the user will get write permission to the folder.

Access rules can link different claims logically and also include group memberships. So special cases can be managed as well.

DAC Regelerstellung

Screenshot: "Dynamic Access Control" creating rules


Data Classification

The data controller determines how the data is classified. The classification properties are defined centrally and are thus everywhere available in the Active Directory domain.

In addition, files can be automatically classified according to their content. If a file contains certain keywords, it is automatically classified as "Confidential". A rule could then only allow access for internal employees on company computers.

DAC Datenklassifikation

Screenshot: DAC data classification in the explorer



The Active Directory user attributes from which the claims are filled, can be still centrally administered or managed by an identity management system. Of course you can delegate the responsibility for certain user attributes to the responsible department. A well maintained and standardized Active Directory is an important prerequisite for the successful implementation of "Dynamic Access Control"

FirstAttribute can support you here with tools, concepts and years of experience in the Active Directory Management.

The rules will also be centrally managed and distributed to all file servers.
This has the great advantage that at any time you have an immediate overview of all authorization rules. The same rules can of course also be used for auditing purposes.


DAC Requirements

Conditions for the use of "Dynamic Access Control" are first of all Windows 2012 File Server.

Furthermore, at least one Server 2012 domain controller in the domain must be available to be able to issue the Claim-based user token.

Some features of "Dynamic Access Control" are available only with Windows 8 workstations (eg Device Claims).


Alternative for Server 2008

Those who do not meet the requirements today, can take the first step to "Claim-based Authorization Management" in another way. With FirstWare DynamicGroup you can automatically fill groups with users based on their Active Directory attributes. With these groups, you can then assign permissions to the appropriate resources.

Ask us about AD Automation.
We advise you on all matters relating to the issues of authorization management and Active Directory management

Links to Dynamic Access Control:


Microsoft Windows Server Blog


©2019 FirstAttribute AG - All rights reserved.

Realization Site Point GmbH

Legal notice