2.7.2.7 Query an Account's Group Membership - Client Application

  • Article

In this use case, an administrator wants to display an account's group membership in order to determine the account's access rights. The administrator launches a client application to query the group membership of a specified account. The client application establishes a connection to the Active Directory system.

Goal

Retrieve an account's group membership.

Context of Use

An administrator wants to retrieve or use group membership of a directory object.

Use case diagram for querying the group membership of an account

Figure 20: Use case diagram for querying the group membership of an account

Actors

  • Client application

    The client application is the primary actor. It is the entity that prepares the connection to the directory server, submits the request to obtain group membership, and relays the response to the administrator.

  • Windows Authentication Services

    Windows Authentication Services [MS-AUTHSOD] is the supporting actor that authenticates the administrator's identity so that the Active Directory system can make access-control decisions.

  • Directory server

    The directory server is the supporting actor that receives the request for group-membership information and gathers the information for the requestor.

Stakeholders

  • Administrator

    The administrator initiates operations such as create, reset, change, query group members, create security group, modify group member list, and delete on an account. The administrator primarily wants to receive information that the operations are successfully completed or receive an error message if they failed.

  • Directory

    The directory is the entity that contains and maintains group membership.

    In this operation, the directory is left unchanged.

Preconditions

  • The system-wide preconditions, as described in section 2.6, are satisfied. The Active Directory system completes initialization, as described in section 2.6.

  • The client application has connectivity to a directory server to which it can establish a connection, if it is not already connected, and send the request.

  • The account for which group membership is being requested exists.

Main Success Scenario

  1. Trigger: The administrator provides the account name of the account to query as input to the client application with credentials and invokes the operation that queries the group membership of an account.

  2. The client application establishes a connection to the directory server. Windows Authentication Services use the supplied credentials to authenticate the client application ([MS-AUTHSOD] section 2).

  3. The client application sends a request to the directory server to retrieve the group membership of the account.

  4. The directory server verifies that the credentials that are supplied through the client application have the necessary access-control rights to complete the operation ([MS-ADTS] section 5.1.3).

  5. The directory server sends a response to the client application that contains the group membership of the specified account.

Postcondition

Group-membership information for the account is available to the client application.

Extensions

  • If the credentials that are supplied through the client application have insufficient access-control rights to retrieve the group membership of the account:

    1-4. Same as Main Success Scenario.

    5. The directory server sends a response to the client application. Group-membership information is not returned to the client application.