2.5.1.1.5 Check Claims-Based Access
Goal
Verify the access rights of the user to access a file on a remote CBAC-aware file share.
Context of Use
The user of the file client needs to access an existing file on a remote file share, and the file server needs to verify the access rights of the user before providing the access to a file. Therefore, the file server interacts with the authorization system through the file system resource manager to verify the requested access rights using this case.
Actors
See section 2.5.1.1.1.
Stakeholders
The primary interest of a user is to access the file on the remote file server.
Preconditions
The identity of the user and client computer (compound identity) has been authenticated by the Authentication Services subsystem, as described in [MS-KILE] and [MS-AUTHSOD].
The Active Directory administrator configured the claim definitions, user, and device claims on Active Directory using the CAP Admin client tool.
The Group Policy administrator configured required central access policies and classification rules for the file servers.
The central access policies and classification rules applied to the resources of the file server.
If the file server is in a different forest than the user, claims in the PAC are transformed, as described in section 2.1.4.3.2.
Using this PAC, the file server obtains the access token (with user and device claims) for the requesting user, as described in section 2.5.1.3, and the file server makes a request to the file system resource manager by passing the obtained user access token (which is also called security context), access rights, and other information, as specified in [MS-FSA] section 2.1.5.1.
Main success scenario
Trigger: The user tries to open an existing file on a remote file share using the file client application.
The file system processes the request per the processing rules, as specified in [MS-FSA] sections 2.1.5.1 and 2.1.5.1.2.1. These processing rules call the access check algorithm, as specified in [MS-DTYP] section 2.5.3.2, to verify the user's access rights against the configured access control permissions and central access policies in the object's security descriptor.
If verification succeeds, the access check algorithm returns success to the file system resource manager, indicating user access is granted.
Postcondition
The user of the file client is granted access to open a file on a remote file share.