Dynamic Access Control (DAC)
Dynamic Access Control (DAC) was introducedwith Microsoft Windows Server 2012. It is a new approach to simplify theprocess of authorization assignment in largeenvironments.
DAC established Business Rules as a centralsystem of control. These rules define authorization claims of the users toresources (files / folders) based on the resourcesclassification.
FirstAttribute supports you create an authorization concept withDynamic Access Control. And also to meet the requirements forDAC.
We help you with
- the preparation of your infrastructure
- the standardization of your Active Directory data for theuniform claim definition
- the establishment of centralized access rules and classification properties.
Dynamic Access Control – Permission Management
The authorization assignment in large filesystems is often organized through the use of resource androle groups. Here, a specific authorization (eg write) toa defined folder resource (eg accounting data) will be granted ineach case. After that a role group is added to this group thatsummarizes all accounting employees. And thus it defines the roleof “Accounting employee”. Very important is a clean naming conceptfor the large number of groups that result from it.
This approach must be strictly adhered to. You will easily losetrack of the effective rights if you don’t take care of it.
In practice there is a number of challenges, which are oftendifficult to implement.
The administration of groups and permissionscan be a significant amount of work for the helpdesk. It requires careful consultation with the datacontroller and the right holders. All authorization actions areperformed directly on the file system or in groups.
“Dynamic Access Contol” is here a new way of permissionmanagement. Rules are defined to link the claims to the dataclassifications. Based on that permissions to resources areassigned.
“If the department of a user (Active Directory – Department) isequal to the gleich der departmental classification of the sourcefolder, the user will get write permission to the folder.
Access rules can link different claims logically and also includegroup memberships. So special cases can be managed as well.
Screenshot: “Dynamic Access Control” creating rules
The data controller determines how the data isclassified. The classification properties are definedcentrally and are thus everywhere available in the Active Directorydomain.
In addition, files can be automatically classified according totheir content. If a file contains certain keywords, it isautomatically classified as “Confidential”. A rule could then onlyallow access for internal employees on company computers.
Screenshot: DAC data classification in the explorer
The Active Directory user attributes from whichthe claims are filled, can be still centrallyadministered or managed by an identity management system.Of course you can delegate the responsibility for certain userattributes to the responsible department. A well maintained andstandardized Active Directory is an important prerequisite for thesuccessful implementation of “Dynamic Access Control”
FirstAttribute can support you here with tools, concepts andyears of experience in the Active DirectoryManagement.
The rules will also be centrally managed and distributed to allfile servers.
This has the great advantage that at any time you have animmediate overview of all authorization rules. The same rules canof course also be used for auditing purposes.
Conditions for the use of “Dynamic Access Control” are first ofall Windows 2012 File Server.
Furthermore, at least one Server 2012 domaincontroller in the domain must be available to be able toissue the Claim-based user token.
Some features of “Dynamic Access Control” areavailable only with Windows 8 workstations (egDevice Claims).
Alternative for Server 2008
Those who do not meet the requirements today, can take the firststep to “Claim-based Authorization Management” inanother way. With FirstWare DynamicGroup you canautomatically fill groups with users based on their ActiveDirectory attributes. With these groups, you can then assignpermissions to the appropriate resources.
Ask us about ADAutomation.
We advise you on all matters relating to the issues ofauthorization management and Active Directory management
Links to Dynamic Access Control:
Microsoft Windows ServerBlog