2.5.1.2.6 Check Object Visibility

 Goal

Verify the access requested by the user of the Active Directory client  to enumerate the Active Directory objects and their attributes.

Context of Use

The user of the Active Directory client needs to enumerate the Active Directory objects and their associated attributes. The Active Directory server  needs to verify the user's access rights before granting the access to the Active Directory client. Therefore, the Active Directory server interacts with the authorization system through the Active Directory resource manager to verify the requested access rights using this use case.

 Actors

The actors are the same as described in section 2.5.1.2.1.

Stakeholders

The primary interest of the user is to enumerate all of the Active Directory objects and their attributes.

Preconditions

  • The identity of the user has been authenticated by the Authentication Services subsystem [MS-AUTHSOD].

  •  The administrator has configured the required attribute level access permissions for the user on the Active Directory object using the Admin tool.

  • The Active Directory server obtained the access token for the requesting user, as described in section 2.5.1.3, and it already sent a request to the Active Directory resource manager by passing the user's access token (which is also called security context), access rights, and other information.

  • The object's security descriptor has already undergone the SID substitution for Principal Self ([MS-ADTS] section 5.1.3.3).

Main success scenario

  1. Trigger: The user makes a request to the Active Directory server using the Active Directory client to enumerate all the Active Directory objects and attributes to which the user has access.

  2. The Active Directory resource manager verifies the access rights of the user against permissions on the object's security descriptor, as described in [MS-ADTS] section 5.1.3.3.6.

  3. If the verification succeeds, then the Active Directory resource manager returns success to the Active Directory server, indicating that the user has been granted access to the requested Active Directory object.

Postcondition

The Active Directory server makes Active Directory objects and attributes visible to whichever user has access to them.