126.96.36.199.4 Control Access Right-Based Access
Verify the control access derived from right-based access that is requested by the user of the Active Directory client.
Context of Use
The user of the Active Directory client is required to perform certain operations that have semantics that are not tied to specific properties, or where it is desirable to control access in a way that is not supported by the standard access rights. For more information, see [MS-ADTS] section 188.8.131.52.1. The Active Directory server needs to verify the user's access rights before granting access to perform the requested operation. Therefore, the Active Directory server interacts with the authorization system via the Active Directory resource manager to verify the requested user access rights via this use case.
The actors are the same as described in section 184.108.40.206.1.
The primary interest of a user is to perform certain operations that have semantics that are not tied to specific properties ([MS-ADTS] section 220.127.116.11.1).
The identity of the user has been authenticated by the Authentication Services subsystem [MS-AUTHSOD].
The administrator has configured the required attribute level access permissions for the user on the Active Directory object using the Admin tool.
The Active Directory server obtained the access token for the requesting user, as described in section 18.104.22.168, and the server has already sent a request to the Active Directory resource manager by passing the user's access token (which is also called security context), the control-access-right GUID ([MS-ADTS] section 22.214.171.124.1), and other information.
Main success scenario
Trigger: The user of an Active Directory client makes a request to the Active Directory server to perform the operations listed in [MS-ADTS] section 126.96.36.199.1, or extended operations that are provided by the application developer.
The Active Directory resource manager verifies the access rights of the user against permissions on the object's security descriptor, as described in [MS-ADTS] section 188.8.131.52.4.
If the verification succeeds, the Active Directory resource manager returns success to the Active Directory server, indicating that the user has been granted access to the requested Active Directory object.
The Active Directory server enables the user to perform the requested operation.