Configuring Central Access Rules for Dynamic Access Control (DAC)

This is Part 3 of our series on Windows Server 2012 Dynamic Access Control.   In Part 1, we discussed some of the general concepts of Dynamic Access Control and how Resource Properties are used.  In Part 2 we discussed how to Configure Resource Properties for Dynamic Access Control.  In this blog we’ll finish up on how to configure a Central Access Rule that we started in Part 2. 

Central Access Rules basically have two parts.   The first part defines what resources will be affected by the rule.   By defining these “Target Resources” we indicate what specific resources will be subject to the rule.  The second part defines the security rule that should be applied to these specific resources. This section of the Rule has a heading of “Current Permissions”. 

In the rule we started to develop in Part 2 of our blog series, we defined a rule which would set policy for Target Resources (file, folder etc) that were tagged/ classified as being a Human Resource (HR) resource. The assumption is that Microsoft FCI or the TITUS Solutions were used to tag / classify the resources.  Here is what that would look like (click the image to see a larger view). 

DAC Target Resources for Central Access Policy

So that’s the first part of the Central Access Rule.  Now we need to define the second part of the rule, the actual security rule which will be applied to these resources.   In order to configure this part of the Central Acess Rule: 

1. Start Active Directory Administrative Center. 

2. Click Central Access Rules in the navigation pane.  

3. From the Tasks pane on the right, click New and then click Central Access Rule. 

4. Give your rule a name.  In my case I have already created a rule called HR Documents Rule. 

5. In the Section called Target Resources click Edit, and then click add in the new Window.  I have already defined this as shown in the screenshot above. 

6. In the Current Permissions section, there are probably already some default permissions for Administrators and Owner Rights.  

7.  To add additional Permissions click the Edit button. 

8.  Click on Add in the Advanced Security Settings for Current Permissions dialog. 

9.  Add the user or users you want to grant permission to.   In our case we will add Authenticated Users.  Click OK. 

10. You will be presented with the Permission Entry for Current Permissions dialog. Select the permissions you want to Assign.  In our case we add Read and Read and Execute.  So your the screen should now look something like this (click to make larger) 

DAC Permissions Config for Central Access Rule

11. Then add the conditions you want for the Permission.   In our case we will add a condition that only Authenticated Users that have a Department=HR attribute in their Active Directory listing (this is called a trusted claim) will be allowed permissions. Click Add Conditions in the lowest section of the screen. 

12.  In the first dropdown select User.  In the Second dropdown select Department. To make an attribute like Department available in your dropdown you will need to add Department as a Claim Type.  We explain how to do this in Part 4 of our blog.  After selecting Department, then complete with “Value Equals HR”.  The Permission Entry screen should now look like the one shown in the previous screenshot. 

13. Click Ok.  Our rule is now defined. 

In order for the above rule to work, administrators will have to ensure that the departmernt attribute is filled out in users’ Active Directory profile.   The screenshot below shows the profile for a user named Bob Builder who is in the HR department. 

Active Directory User Properties

Our rule is now completed.  In part 4 of this blog series on DAC we’ll cover how to create a claim type, and in Part 5 we’ll discuss how this rule can be deployed via a Dynamic Access Control – Central Access Policy. For more information on how Dynamic Access Control can work with SharePoint see our “Applying Windows Server 2012 DAC to SharePoint” blog.

Leave a Reply