In Part 1 of our blog series on Dynamic Access Control we covered the basics of DAC, and discussed how resource properties and classification are used to enhance the power of Dynamic Access Control in Windows Server 2012. In this blog we’ll discuss how to configure Resource Properties and DAC rules based on Resource Properties. When creating Resource Properties we have two choices. The first choice would be to use one of the preconfigured Resource Properties supplied by Microsoft. Microsoft did some work on what resource properties are used in different industries. So there are a number of pre-configured options like country, department, retention period, impact, confidentiality etc. If these Resource Properties don’t fit your business you can create a new Resource Property by following these steps:
1. Create a new Resource Property using Active Directory Administrative Center
2. Start Active Directory Administrative Center. Click Claim Based Access in the navigation pane.
3. Double-click Resource Properties in the left hand pane.
4. From the Tasks pane on the right, click New and then click Resource Property.
5. Type the name of the Resource Property in the Display name box in the General section of the Create Resource Property dialog.
6. Select a logical value type from the Value type list. Choices are things like Text, Number, Multi-valued list, DateTime etc.
7. Type a description for the Resource Property in the Description box.
8. Select the Set ID to a semantically identical Resource Property in a trusted forest if the Resource Property identifier must match an existing Resource Property identifier from another forest. Type the Resource Property identifier. Clear this check box to generate the identifier automatically.
9. Select the Protect from accidental deletion check box to ensure an administrator cannot accidentally delete the Resource Property. Clear the check box to remove accidental deletion protection.
10. In the Suggested Values section, click the option you want for suggested values. Create suggested value items as needed.
11. Click OK.
In our scenario we will just use the Department Resource that was pre-configured by Microsoft. See the example Resource Definition below (click image to enlarge). As you can see this Resource has potential values like Customer Service, Distribution, Sales, Finance, Administration, HR.
Now that we have the resource defined, we can now use the Resource in a Central Access Rule. Let’s say we want to limit access to any files that have a depatment value of HR. This value (HR) would be associated with the file or folder using one of the two methods discussed in Part 1 of our DAC blog series 1) Windows Server File Classification Infrastructure, or 2) End user assisted classification using the TITUS Classification tools . We’ll use our rule to make sure that only employees that are members of the HR department have Read Access to files with a Resource Property= HR.
1. Start Active Directory Administrative Center.
2. Click Central Access Rules in the navigation pane.
3. From the Tasks pane on the right, click New and then click Central Access Rule.
4. Give your rule a name
5. In the Section called Target Resources click Edit, and then click “Add a Condition” in the new Window.
6. In the first drop down select “Resource”, in the second drop down select the “Department” resource we had previously created.
7. In the third drop down select “Contains” , in the fourth select “Value”, and then in the final drop down select the HR value.
We have now created the first part of our rule, which indicates that this rule will only apply to files and folders that have a property of Department = HR.
The next blog in our series will show how to complete and implement a Central Access Rule.