2.5.1.1.3 Check ACL Inheritance Access

  • Article

 Goal

Verify the access rights of the user to access a file on a remote file share and that the file has inheritable permissions from its parent object.

 Context of Use

The user of the file client needs to access an existing file on a remote file share, and the file server needs to verify the access rights of the user before providing the access to a file that has both explicit access permissions and inheritable permissions from a parent object. Therefore, the file server interacts with the authorization system via the file system resource manager to verify the access rights of the user using this case.

Actors

Except for the CAP Admin client actor, all the actors are as described in section 2.5.1.1.1.

Stakeholders

The primary interest of a user is to access the file on the remote file server.

Preconditions

  • The user of the file client has been authenticated by the Authentication Services subsystem [MS-AUTHSOD].

  • The administrator using the Admin client has configured explicit and inherited access permissions for the requesting user to open the file on a remote file share.

  • The file server obtains the access token for the requesting user, as described in section 2.5.1.3, and the file server makes a request to the file system resource manager by passing the obtained user access token (which is also called security context), access rights, and other information, as described in [MS-FSA] section 2.1.5.1.

Main success scenario

  1. Trigger: The user tries to access an existing file on a remote file share using the file client application.

  2. The file system processes the request per the processing rules, as specified in [MS-FSA] sections 2.1.5.1 and 2.1.5.1.2.1. These processing rules call the access check algorithm specified in [MS-DTYP] section 2.5.3.2 to verify the user's access rights against the access permissions on the object's security descriptor.

  3. If verification succeeds, the access check algorithm returns success to the file system resource manager, indicating user access is granted.

Postcondition

The user of the file client is granted access to a file on the remote file share.