How to use central access policies for dynamic access control
You can use Central Access Policies (CAP) to control access dynamically. For developers desiring to work with Dynamic Access Control, we provide cmdlets in the Active Directory module for Windows PowerShell. We recommend the use of these cmdlets for Directory-related operations as they enforce all the key constraints present on these objects. For development environments where it is important for your code to interact with Active Directory over other interfaces directly (for example: LDAP), you must consider the following constrains for managing claim type, resource property, central access rules, central access policies, and resource property list objects.
In general, validations stated in this topic apply to create and set operations. On read operation, you must keep the validation consistent with schema requirements to allow proper display of the existing information.
What you need to know
Technologies
Prerequisites
- If you are using Active Directory module for PowerShell, it provides proper validation for data input. For more information, see the Deploy a Central Access Policy (Demonstration Steps) on TechNet.
Steps
| Topic | Description |
|---|---|
|
All the objects mentioned in this scenario live in configuration naming context in Active Directory, the objects will be replicated throughout the entire forest | |
|
This code sample will enumerate all of the Dynamic Access Control objects in Active Directory. | |
|
Claim type (msDS-ClaimType) resides in msDS-ClaimTypes container and is used in ACL expressions and central access rule expressions. | |
|
Resource Property (msDS-ResourceProperty) resides in msDS-ResourceProperties container, and is used to classify files on Windows Server 2012 File Server as well as used in central access rule expression. | |
|
This topic describes a Central Access Rule (CAR). | |
|
This topic describes a Central Access Policy (CAP). |
Additional resources
- Deploy a Central Access Policy (Demonstration Steps)
- The Extensible File Classification Infrastructure
- Working with File Classification
- How to enrich audit reporting
Build date: 11/28/2012
