2.5.1.1.2 Check Simple Access
Goal
Verify the access rights of the user to access a file on a remote file share.
Context of Use
The user of the file client needs to access an existing file on a remote file share, and the file server needs to verify the access rights of the user before providing access to a file. Therefore, the file server interacts with the authorization system through the file system resource manager to verify the requested access rights using this use case.
Actors
Except for the CAP Admin client actor, all the actors are as described in section 2.5.1.1.1.
Stakeholders
The primary interest of a user is to access the file on the remote file server.
Preconditions
The user of the file client has been authenticated by the Authentication Services subsystem. For more information, see [MS-AUTHSOD].
The administrator using the Admin client has configured the required explicit access permissions for the requesting user to access the file on a remote file share but has not included inherited permissions from the object's parent.
The file server obtains the access token for the requesting user, as described in section 2.5.1.3, and the file server makes a request to the file system by passing the user's access token (which is also called security context), access rights, and other information, as described in [MS-FSA] section 2.1.5.1.
Main success scenario
Trigger: The user tries to access an existing file on a remote file share using the file client application.
The file system processes the request per the processing rules, as specified in [MS-FSA] sections 2.1.5.1 and 2.1.5.1.2.1. These processing rules call the access check algorithm, as specified in [MS-DTYP] section 2.5.3.2, to verify the access rights of the user.
If verification succeeds, then the access check algorithm returns success to the file system resource manager, indicating user access is granted.
Postcondition
The user of the file client is granted access to a file on remote file share.