Dynamic Access Control (DAC)
Dynamic Access Control (DAC) was introduced
with Microsoft Windows Server 2012. It is a new approach to simplify the
process of authorization assignment in large
DAC established Business Rules as a central
system of control. These rules define authorization claims of the users to
resources (files / folders) based on the resources
FirstAttribute supports you create an authorization concept with
Dynamic Access Control. And also to meet the requirements for
We help you with
- the preparation of your infrastructure
- the standardization of your Active Directory data for the
uniform claim definition
- the establishment of centralized access rules and classification properties.
Dynamic Access Control - Permission Management
The authorization assignment in large file
systems is often organized through the use of resource and
role groups. Here, a specific authorization (eg write) to
a defined folder resource (eg accounting data) will be granted in
each case. After that a role group is added to this group that
summarizes all accounting employees. And thus it defines the role
of "Accounting employee". Very important is a clean naming concept
for the large number of groups that result from it.
This approach must be strictly adhered to. You will easily lose
track of the effective rights if you don't take care of it.
In practice there is a number of challenges, which are often
difficult to implement.
The administration of groups and permissions
can be a significant amount of work for the help
desk. It requires careful consultation with the data
controller and the right holders. All authorization actions are
performed directly on the file system or in groups.
"Dynamic Access Contol" is here a new way of permission
management. Rules are defined to link the claims to the data
classifications. Based on that permissions to resources are
"If the department of a user (Active Directory - Department) is
equal to the gleich der departmental classification of the source
folder, the user will get write permission to the folder.
Access rules can link different claims logically and also include
group memberships. So special cases can be managed as well.
Screenshot: "Dynamic Access Control" creating rules
The data controller determines how the data is
classified. The classification properties are defined
centrally and are thus everywhere available in the Active Directory
In addition, files can be automatically classified according to
their content. If a file contains certain keywords, it is
automatically classified as "Confidential". A rule could then only
allow access for internal employees on company computers.
Screenshot: DAC data classification in the explorer
The Active Directory user attributes from which
the claims are filled, can be still centrally
administered or managed by an identity management system.
Of course you can delegate the responsibility for certain user
attributes to the responsible department. A well maintained and
standardized Active Directory is an important prerequisite for the
successful implementation of "Dynamic Access Control"
FirstAttribute can support you here with tools, concepts and
years of experience in the Active Directory
The rules will also be centrally managed and distributed to all
This has the great advantage that at any time you have an
immediate overview of all authorization rules. The same rules can
of course also be used for auditing purposes.
Conditions for the use of "Dynamic Access Control" are first of
all Windows 2012 File Server.
Furthermore, at least one Server 2012 domain
controller in the domain must be available to be able to
issue the Claim-based user token.
Some features of "Dynamic Access Control" are
available only with Windows 8 workstations (eg
Alternative for Server 2008
Those who do not meet the requirements today, can take the first
step to "Claim-based Authorization Management" in
another way. With FirstWare DynamicGroup you can
automatically fill groups with users based on their Active
Directory attributes. With these groups, you can then assign
permissions to the appropriate resources.
Ask us about AD
We advise you on all matters relating to the issues of
authorization management and Active Directory management
Links to Dynamic Access Control:
Microsoft Windows Server