Configuring Claim Types for Dynamic Access Control

This is Part 4 of our series on Dynamic Access Control. In Part 3, we discussed how to configure central access rules .  In order to build rules involving user claims we need to define the claim types.  That’s what will discuss in this blog. 

In Windows Server 2012, Claims can be used to authorize a user or computer to a file system resource.  In order to use claims for authorization, the administrator must configure claim types for a user.  Claims types can be created, modified or deleted using AD Administrative Center. 

In Part 3 of the blog series on Dynamic Access Control we created a Central Access Rule specifying that HR documents could only be accessed by employees in the HR department.  The user attribute being used in this example is the Department in which the employee works.   The department information can be populated in the user’s Active Directory attributes using Active Directory Users and Computers. The other thing we need to do in order to use Department in our central access rule is to define Department as a Claim Type.
Microsoft defines a Claim Type as “An assertion about the object with which it is associated”. Basically we need to associate the AD attribute upon which the claim will be built. When we do this Windows Server 2012 will build and associate a Department claim for users.

To create a new claim type using Active Directory Administrative Center follow these steps.

1. Start the Active Directory Administrative Center.
2. Select Claim Types in the navigation pane under the Dynamic Access Control folder.
3. In the task pane, click New and then click Claim Type.
4. On the Create Claim Type dialog in the Source Attribute section, click the Active Directory attribute on which you want to base your claim.  In our example we would select “department”  which has a value type of “string”.
5. Type the Display name (e.g. Department) and Description (e.g. Department in which the employee works).
6. Select the “Claims of this type are issued for User class only” check box to limit the issuance of this claim type only to user.  This means that Department claims can only be assigned to users and not to computers.   If you wanted to build a Central Access Rule that would check to see if the computer is owned by HR you would need to clear this selection.
7. Check the “Protect from accidental deletion” check box to make sure an administrator cannot accidentally delete this claim type.  
9. In the Suggested Values section, click No values are suggested.
10. Click OK.

So your Claim Type definition should look like this (click to enlarge)

Dynamic Access Control Claim Type Definition

Now that our Claim Type is defined we can use this claim in the definition of our Central Access Rule – Users will be given access to HR Resources if User.Department = HR.

In our final blog post in our Dynamic Access Control series we’ll discuss how to roll out Central Access Rules using Central Access Policy.

Tags: , , , ,

Leave a Reply