2.5.1.2.4 Control Access Right-Based Access

  • Article

 Goal

Verify the control access derived from right-based access that is requested by the user of the Active Directory client.

Context of Use

The user of the Active Directory client is required to perform certain operations that have semantics that are not tied to specific properties, or where it is desirable to control access in a way that is not supported by the standard access rights. For more information, see [MS-ADTS] section 5.1.3.2.1. The Active Directory server needs to verify the user's access rights before granting access to perform the requested operation. Therefore, the Active Directory server interacts with the authorization system via the Active Directory resource manager to verify the requested user access rights via this use case.

Actors

The actors are the same as described in section 2.5.1.2.1.

Stakeholders

The primary interest of a user is to perform certain operations that have semantics that are not tied to specific properties ([MS-ADTS] section 5.1.3.2.1).

Preconditions

  • The identity of the user has been authenticated by the Authentication Services subsystem [MS-AUTHSOD].

  • The administrator has configured the required attribute level access permissions for the user on the Active Directory object using the Admin tool.

  • The Active Directory server obtained the access token for the requesting user, as described in section 2.5.1.3, and the server has already sent a request to the Active Directory resource manager by passing the user's access token (which is also called security context), the control-access-right GUID ([MS-ADTS] section 5.1.3.2.1), and other information.

  • The object's security descriptor has already undergone the SID substitution for Principal Self ([MS-ADTS] section 5.1.3.3).

 Main success scenario

  1. Trigger: The user of an Active Directory client makes a request to the Active Directory server to perform the operations listed in [MS-ADTS] section 5.1.3.2.1, or extended operations that are provided by the application developer.

  2.  The Active Directory resource manager verifies the access rights of the user against permissions on the object's security descriptor, as described in [MS-ADTS] section 5.1.3.3.4.

  3.  If the verification succeeds, the Active Directory resource manager returns success to the Active Directory server, indicating that the user has been granted access to the requested Active Directory object.

Postcondition

 The Active Directory server enables the user to perform the requested operation.