建立允許或拒絕使用者根據傳入理賠要求規則Create a Rule to Permit or Deny Users Based on an Incoming Claim

適用於:Windows Server 2016、Windows Server 2012 R2Applies To: Windows Server 2016, Windows Server 2012 R2

在 Windows Server 2016,您可以使用存取控制原則來建立,允許的規則拒絕根據傳入理賠要求的使用者。In Windows Server 2016, you can use an Access Control Policy to create a rule that will permit of deny users based on an incoming claim. 在 Windows Server 2012 R2,使用允許] 或 [拒絕使用者根據取得連入在 Active Directory 同盟服務 (AD FS) 規則範本,您可以建立會授與或拒絕信賴根據類型及值,連入理賠要求的使用者的存取權的授權規則。In Windows Server 2012 R2, using the Permit or Deny Users Based on an Incoming Claim rule template in Active Directory Federation Services (AD FS), you can create an authorization rule that will grant or deny user’s access to the relying party based on the type and value of an incoming claim.

例如,您可以使用此建立,允許的值為網域存取信賴的系統管理員取得群組使用者規則。For example, you can use this to create a rule that will permit only users that have a group claim with a value of Domain Admins to access the relying party. 如果您想要允許所有使用者存取信賴,請使用都允許所有人存取控制原則或都允許所有使用者規則範本根據您的 Windows Server 版本。If you want to permit all users to access the relying party, use the Permit Everyone Access Control Policy or the Permit All Users rule template depending on your version of Windows Server. 使用者可以存取信賴從同盟服務可能仍然無法服務信賴。Users who are permitted to access the relying party from the Federation Service may still be denied service by the relying party.

您可以使用下列程序,以建立 AD FS 管理 snap\ 中理賠要求規則。You can use the following procedure to create a claim rule with the AD FS Management snap-in.

資格在系統管理員,或相當於、在本機電腦上的最低需求完成此程序。Membership in Administrators, or equivalent, on the local computer is the minimum required to complete this procedure. 檢視詳細資料使用適當的帳號,並群組成員資格,本機和網域預設群組Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups.

建立允許使用者在 Windows Server 2016 上連入理賠要求規則To create a rule to permit users based on an incoming claim on Windows Server 2016

  1. 在伺服器管理員中,按一下工具,然後選取 [ AD FS 管理In Server Manager, click Tools, and then select AD FS Management.

  2. 在主控台在AD FS,按一下 [存取控制原則In the console tree, under AD FS, click Access Control Policies. 建立規則

  3. 以滑鼠右鍵按一下,然後選取 [存取控制原則Right-click and select Add Access Control Policy. 建立規則

  4. 在 [名稱] 方塊中輸入名稱的原則、描述,然後按一下新增In the name box, enter a name for your policy, a description and click Add. 建立規則

  5. 規則編輯器的使用者,在勾選 [在特定宣告在要求中的,按一下 [底線特定底部。On the Rule Editor, under users, place a check in with specific claims in the request and click the underlined specific at the bottom. 建立規則

  6. 選取 [宣告畫面中,按一下 [宣告選項按鈕,選取取得輸入電信業者,和宣告值然後按一下 [ [確定]On the Select Claims screen, click the Claims radio button, select the Claim type, the Operator, and the Claim Value then click Ok. 建立規則

  7. 規則編輯器[確定]On the Rule Editor click Ok. 存取控制原則畫面中,按[確定]On the Add Access Control Policy screen, click Ok.

  8. AD FS 管理底下主機樹,AD FS,按一下 [可以廠商信任In the AD FS Management console tree, under AD FS, click Relying Party Trusts. 建立規則

  9. 以滑鼠右鍵按一下可以方信任您想要允許存取,然後選取 [編輯存取控制項原則Right-click the Relying Party Trust that you want to permit access to and select Edit Access Control Policy.
    建立規則

  10. 在存取控制原則選取您的原則,然後按一下套用][確定]On the Access control policy select your policy and then click Apply and Ok. 建立規則

若要建立拒絕使用者基礎 Windows Server 2016 上連入理賠要求規則To create a rule to deny users based on an incoming claim on Windows Server 2016

  1. 在伺服器管理員中,按一下工具,然後選取 [ AD FS 管理In Server Manager, click Tools, and then select AD FS Management.

  2. 在主控台在AD FS,按一下 [存取控制原則In the console tree, under AD FS, click Access Control Policies. 建立規則

  3. 以滑鼠右鍵按一下,然後選取 [存取控制原則Right-click and select Add Access Control Policy. 建立規則

  4. 在 [名稱] 方塊中輸入名稱的原則、描述,然後按一下新增In the name box, enter a name for your policy, a description and click Add. 建立規則

  5. 規則編輯器,請確定已選取 [所有人都並在以外勾選 [中的特定宣告在要求中底線按一下特定底部。On the Rule Editor, make sure everyone is selected and under Except place a check in with specific claims in the request and click the underlined specific at the bottom. 建立規則

  6. 選取 [宣告畫面中,按一下 [宣告選項按鈕,選取取得輸入電信業者,和宣告值然後按一下 [ [確定]On the Select Claims screen, click the Claims radio button, select the Claim type, the Operator, and the Claim Value then click Ok. 建立規則

  7. 規則編輯器[確定]On the Rule Editor click Ok. 存取控制原則畫面中,按[確定]On the Add Access Control Policy screen, click Ok.

  8. AD FS 管理底下主機樹,AD FS,按一下 [可以廠商信任In the AD FS Management console tree, under AD FS, click Relying Party Trusts. 建立規則

  9. 以滑鼠右鍵按一下可以方信任您想要允許存取,然後選取 [編輯存取控制項原則Right-click the Relying Party Trust that you want to permit access to and select Edit Access Control Policy.
    建立規則

  10. 在存取控制原則選取您的原則,然後按一下套用][確定]On the Access control policy select your policy and then click Apply and Ok. 建立規則

建立允許或拒絕使用者基礎 Windows Server 2012 R2 上連入理賠要求規則To create a rule to permit or deny users based on an incoming claim on Windows Server 2012 R2

  1. 在伺服器管理員中,按一下工具,然後選取 [ AD FS 管理In Server Manager, click Tools, and then select AD FS Management.

  2. 在主控台在AD FS\Trust Relationships\Relying 廠商信任,按一下您想要用來建立此規則清單中的特定信任。In the console tree, under AD FS\Trust Relationships\Relying Party Trusts, click a specific trust in the list where you want to create this rule.

  3. Right\ 按一下信任選取,然後再按一下編輯理賠要求規則Right-click the selected trust, and then click Edit Claim Rules.
    建立規則

  4. 編輯理賠要求規則對話方塊中,按一下 [發行授權規則索引標籤或委派授權規則] 索引標籤 \(根據授權規則類型您 require\),,然後按一下新增規則到 [開始]新增授權理賠要求規則精靈In the Edit Claim Rules dialog box, click the Issuance Authorization Rules tab or the Delegation Authorization Rules tab (based on the type of authorization rule you require), and then click Add Rule to start the Add Authorization Claim Rule Wizard.
    建立規則

  5. 選取 [規則範本頁面上,在理賠要求規則範本、選取允許] 或 [拒絕使用者根據連入宣告從清單中,然後按一下下一步On the Select Rule Template page, under Claim rule template, select Permit or Deny Users Based on an Incoming Claim from the list, and then click Next.
    建立規則

  6. 設定規則在頁面上理賠要求規則名稱輸入顯示名稱,則本規則傳入宣告類型底下選取 [宣告類型清單中,傳入取得值輸入或按一下 [瀏覽 \(如果有 available\)並選取一個值,然後選取其中一項下列選項,根據您的組織的需求:On the Configure Rule page under Claim rule name type the display name for this rule, in Incoming claim type select a claim type in the list, under Incoming claim value type a value or click Browse (if it is available) and select a value, and then select one of the following options, depending on the needs of your organization:

    • 允許此傳入理賠要求的使用者存取Permit access to users with this incoming claim

    • 拒絕這個傳入理賠要求的使用者存取Deny access to users with this incoming claim
      建立規則

  7. 按一下完成Click Finish.

  8. 編輯理賠要求規則對話方塊中,按[確定]來儲存規則。In the Edit Claim Rules dialog box, click OK to save the rule.

其他參考資料Additional references

設定理賠要求規則Configure Claim Rules

檢查清單︰ 建立信賴的派對信任理賠要求規則Checklist: Creating Claim Rules for a Relying Party Trust

使用授權理賠要求規則When to Use an Authorization Claim Rule

宣告的角色The Role of Claims

宣告規則的角色The Role of Claim Rules