2.1.4.3 CBAC Model

  • Article

The following diagram shows the components of the claim-based access control (CBAC) architecture.

CBAC architecture

Figure 10: CBAC architecture

The CBAC architecture consists of the following components:

Central access policy (CAP) Admin client

  • Facilitates the administrator to configure the claim definitions, by indicating the claim names and types of the values, and assignment of the claims to the users and devices on the Active Directory store using the Lightweight Directory Access Protocol (LDAP) ([MS-ADTS]).

  • Also facilitates the administrator to configure the central access rules (CARs) and central access policies (CAPs) on the Group Policy server using the Group Policy: Central Access Policies Protocol Extension ([MS-GPCAP]).

Central policy store

  • Active Directory stores the claim definitions, user and device claims, central access rules, and central access policies.

  • The Group Policy server pushes access rules and policies to the specified file servers via Group Policy Central Access Policies Protocol Extension. For more information, see [MS-GPCAP].

Client computer

  • The identities of the Server Message Block (SMB) clients on the client computer can get authenticated by using either the NTLM protocol ([MS-NLMP] and [MS-APDS]) or the Kerberos Protocol Extensions ([MS-KILE] or [MS-PKCA]), as described in [MS-AUTHSOD]. The Kerberos authentication protocol results in authorization information with the claims, whereas NTLM protocol results in authorization information without the claims.

  • The SMB clients request access to a file share on a remote file server by sending authorization information which is created by successful authentication.

File server Admin client

  • Facilitates the administrator to configure the classification rules using the File Server Resource Manager (FSRM) Protocol interfaces (see [MS-FSRM]) and retrieval of central access policies IDs using the Central Access Policy Identifier (ID) Retrieval Protocol (see [MS-CAPR]) on the remote file server.

  • The file server administrator simulates the effective rights of the users on file shares using the Remote Authorization API Protocol interfaces [MS-RAA].

File server

  • Claim definitions are pulled from Active Directory using the LDAP protocol  queries [MS-ADTS].

  • The File Classification Infrastructure (FCI) and File server resource manager (FSRM) infrastructures facilitate the transfer of the resource properties and central access policies into an object's security descriptor.

  • On file access requests, the file system or object store (see [MS-FSA]) calls the authorization system to determine access to files.

  • The authorization system verifies access to the files, as described in [MS-DTYP] section 2.5.3.2.