2.5.1.2.5 Control Validated Write-Based Access

  • Article

Goal

Verify the write access requested by the user of the Active Directory client to modify attributes of an Active Directory object.

Context of Use

The user requesting attributes has configured the validated write access permissions on an Active Directory object. Therefore, the Active Directory server is required to validate the values of the attributes being written. For more information, see [MS-ADTS] section 5.1.3.2.2.

Actors

The actors are the same as described in section 2.5.1.2.1.

Stakeholders

The primary interest of the user of the Active Directory client is to write the values onto the attributes.

Preconditions

  • The identity of the user has been authenticated by the Authentication Services subsystem [MS-AUTHSOD].

  • The Administrator has configured the required attribute level access permissions for the user on the Active Directory object using the Admin tool.

  • The Active Directory server obtained the access token for the requesting user, as described in section 2.5.1.3, and it already sent a request to the Active Directory resource manager by passing the user's access token (which is also called security context), the validated rights GUID ([MS-ADTS] section 5.1.3.2.2), and other information.

  • The object's security descriptor has already undergone the SID substitution for Principal Self ([MS-ADTS] section 5.1.3.3).

Main success scenario

  1. Trigger: The user makes a request to the Active Directory server using the Active Directory client to get write access to an object's attributes that are controlled by validate rights.

  2. The Active Directory resource manager verifies the access rights of the user against the permissions on the object's security descriptor, as described in [MS-ADTS] section 5.1.3.3.5.

  3. If the verification succeeds, then the Active Directory resource manager returns success to the Active Directory server, indicating that the user has been granted access to the requested Active Directory object.

Postcondition

The Active Directory server enables the user to perform a requested write operation.