2.5.1.2.5 Control Validated Write-Based Access
Goal
Verify the write access requested by the user of the Active Directory client to modify attributes of an Active Directory object.
Context of Use
The user requesting attributes has configured the validated write access permissions on an Active Directory object. Therefore, the Active Directory server is required to validate the values of the attributes being written. For more information, see [MS-ADTS] section 5.1.3.2.2.
Actors
The actors are the same as described in section 2.5.1.2.1.
Stakeholders
The primary interest of the user of the Active Directory client is to write the values onto the attributes.
Preconditions
The identity of the user has been authenticated by the Authentication Services subsystem [MS-AUTHSOD].
The Administrator has configured the required attribute level access permissions for the user on the Active Directory object using the Admin tool.
The Active Directory server obtained the access token for the requesting user, as described in section 2.5.1.3, and it already sent a request to the Active Directory resource manager by passing the user's access token (which is also called security context), the validated rights GUID ([MS-ADTS] section 5.1.3.2.2), and other information.
The object's security descriptor has already undergone the SID substitution for Principal Self ([MS-ADTS] section 5.1.3.3).
Main success scenario
Trigger: The user makes a request to the Active Directory server using the Active Directory client to get write access to an object's attributes that are controlled by validate rights.
The Active Directory resource manager verifies the access rights of the user against the permissions on the object's security descriptor, as described in [MS-ADTS] section 5.1.3.3.5.
If the verification succeeds, then the Active Directory resource manager returns success to the Active Directory server, indicating that the user has been granted access to the requested Active Directory object.
Postcondition
The Active Directory server enables the user to perform a requested write operation.