2.5.1.1.5 Check Claims-Based Access

  • Article

 Goal

 Verify the access rights of the user to access a file on a remote CBAC-aware file share.

 Context of Use

The user of the file client needs to access an existing file on a remote file share, and the file server needs to verify the access rights of the user before providing the access to a file. Therefore, the file server interacts with the authorization system through the file system resource manager to verify the requested access rights using this case.

 Actors

See section 2.5.1.1.1.

 Stakeholders

The primary interest of a user is to access the file on the remote file server.

 Preconditions

  • The identity of the user and client computer (compound identity) has been authenticated by the Authentication Services subsystem, as described in [MS-KILE] and [MS-AUTHSOD].

  • The Active Directory administrator configured the claim definitions, user, and device claims on Active Directory using the CAP Admin client tool.

  •  The Group Policy administrator configured required central access policies and classification rules for the file servers.

  •  The central access policies and classification rules applied to the resources of the file server.   

  •  If the file server is in a different forest than the user, claims in the PAC are transformed, as described in section 2.1.4.3.2.

  • Using this PAC, the file server obtains the access token (with user and device claims) for the requesting user, as described in section 2.5.1.3, and the file server makes a request to the file system resource manager by passing the obtained user access token (which is also called security context), access rights, and other information, as specified in [MS-FSA] section 2.1.5.1.

 Main success scenario

  1. Trigger: The user tries to open an existing file on a remote file share using the file client application.

  2. The file system processes the request per the processing rules, as specified in [MS-FSA] sections 2.1.5.1 and 2.1.5.1.2.1. These processing rules call the access check algorithm, as specified in [MS-DTYP] section 2.5.3.2, to verify the user's access rights against the configured access control permissions and central access policies in the object's security descriptor.

  3. If verification succeeds, the access check algorithm returns success to the file system resource manager, indicating user access is granted.

 Postcondition

 The user of the file client is granted access to open a file on a remote file share.