2.7.2.9 Create a Security Group - Client Application

In this use case, an administrator wants to create a security group to be used for access-control decisions. The administrator launches a client application to create the new security group. The client application establishes a connection to the Active Directory system.

Goal

Create a new security group in the directory.

Context of Use

An administrator wants to create a security group to be used for access-control decisions.

Use case diagram for creating a security group

Figure 22: Use case diagram for creating a security group

Actors

  • Client application

    The client application is the primary actor. It is the entity that prepares the connection to the directory server, submits the request to create the security group, and relays the response to the administrator.

  • Windows Authentication Services

    Windows Authentication Services [MS-AUTHSOD] is the supporting actor that authenticates the administrator's identity so that the Active Directory system can make access-control decisions.

  • Directory server

    The directory server is the supporting actor that receives the creation request and creates the security group.

Stakeholders

  • Administrator

    The administrator initiates operations such as create, reset, change, query for group members, create a security group, modify the group member list, and delete on an account. The administrator primarily wants to receive information that the operations are successfully completed or receive an error message if they failed.

  • Directory

    The directory is the entity that contains the security group being created.

Preconditions

  • The system-wide preconditions, as described in section 2.6, are satisfied. The Active Directory system completes initialization, as described in section 2.6.

  • The client application has connectivity to a directory server to which it can establish a connection, if it is not already connected, and send the request.

Main Success Scenario

  1. Trigger: The administrator provides the group name for the new security group as input to the client application, along with credentials, and invokes the operation that creates a new security group.

  2. The client application establishes a connection to the directory server. Windows Authentication Services authenticates the client application by using the supplied credentials ([MS-AUTHSOD] section 2).

  3. The client application sends a request to the directory server to create a new security group and specifies the group name for the new group.

  4. The directory server verifies that the credentials that are supplied through the client application have the necessary access-control rights to complete the operation ([MS-ADTS] section 5.1.3).

  5. The directory server validates the constraints on the new group name, as described in [MS-SAMR] sections 3.1.1.6 and 3.1.1.8.4.

  6. The directory server creates an object in the directory that represents the new security group with the group name supplied by the client. The directory object is additionally populated with attributes that are mandated by the server's processing rules and constraints ([MS-ADTS] sections 3.1.1.5.1 and 3.1.1.5.2).

  7. The directory server sends a response to the client application that the new security group has been successfully created.

Postcondition

The new security group is created and ready for use.

Extensions

  • If the credentials that are supplied through the client application have insufficient access-control rights to create the new security group:

    1-4. Same as Main Success Scenario.

    5. The directory server sends a response to the client application that the supplied credentials have insufficient access-control rights to create the new security group.

  • If the group name that the administrator supplies does not satisfy the group name constraints, as described in [MS-SAMR] section 3.1.1.6:

    1-5. Same as Main Success Scenario.

    6. The directory server sends a response to the client application that the specified group name does not meet the constraints.

  • If the group name that is supplied through the client application is not unique, as described in [MS-SAMR] section 3.1.1.8.4:

    1-5. Same as Main Success Scenario.

    6. The directory server sends a response to the client application that the specified group name is already in use by an existing group.