2.5.1.2.2 Check Simple Access

  • Article

Goal

Verify the access rights of the user to access the Active Directory object on the Active Directory server.

Context of Use

The user of the Active Directory client needs to access the Active Directory object on the Active Directory server, and the Active Directory server needs to verify the access rights of the user before providing the access to the user. Therefore, the Active Directory server interacts with the authorization system through the Active Directory resource manager to verify the requested access rights using this use case.

Actors

The actors are the same as described in section 2.5.1.2.1.

Stakeholders

The primary interest of the user of the Active Directory client is to read all information associated with the object.

Preconditions

  • The identity of the user has been authenticated by the Authentication Services subsystem [MS-AUTHSOD].

  • The administrator has configured the required access permissions for the user on the Active Directory object using the Admin tool.

  • The Active Directory server obtained the access token for the requesting user, as described in section 2.5.1.3, and it already sent a request to the Active Directory resource manager by passing the user's access token (which is also called security context), access rights, and other information.

  • The object's security descriptor has already undergone the SID substitution for Principal Self ([MS-ADTS] section 5.1.3.3).

Main success scenario

  1. Trigger: The user of the Active Directory client makes a request to the Active Directory server to read all the information associated with an Active Directory object.

  2.  The Active Directory resource manager verifies the access rights of the user against permissions on an object's security descriptor, as described in [MS-ADTS] section 5.1.3.3.2.

  3. If the verification succeeds, then the Active Directory resource manager returns success to the Active Directory server, indicating that the user has been granted access to the requested Active Directory object.

Postcondition

The Active Directory server enables access to the user to read all the information associated with the requested Active Directory object.