2.5.1.1.4 Check Conditional ACEs-Based Access

  • Article

 Goal

 Verify the access rights of the user to open an existing file on a remote file share that has conditional ACEs configured on it.

Context of Use

The user of the file client needs to access a file on a remote file share, and the file server needs to verify the access rights of the user before providing the access to a file. Therefore, the file server interacts with the authorization system through the file system resource manager to verify the requested access rights using this case.

 Actors

Except for the CAP Admin client actor, all the actors are as described in section 2.5.1.1.1.

 Stakeholders

The primary interest of a user is to access the file on the remote file server.

 Preconditions

  • The user of the file client has been authenticated by the Authentication Services subsystem [MS-AUTHSOD].

  • The administrator using the Admin client has configured explicit, inherited, and conditional access permissions for the requesting user to open the file on a remote file share.

  • The file server obtains the access token for the requesting user as described in section 2.5.1.3, and the file server makes a request to the file system resource manager by passing the obtained user access token (which is also called security context), access rights, and other information, as described in [MS-FSA] section 2.1.5.1.

Main success scenario

  1. Trigger: The user tries to access an existing file on a remote file share using the file client application.

  2. The file system processes the request as per the processing rules, as specified in [MS-FSA] sections 2.1.5.1 and 2.1.5.1.2.1. These processing rules call the access check algorithm, as specified in [MS-DTYP] section 2.5.3.2, to verify the user's access rights against the configured access permissions on the object's security descriptor.

  3. If verification succeeds, the access check algorithm returns success to the file system resource manager, indicating user access is granted.

 Post condition

 The user of the file client is granted access to a file on a remote file share.