How to use central access policies for dynamic access control
You can use Central Access Policies (CAP) to control access dynamically.
There are two options for programmatic access to the Dynamic Access Control objects in Active Directory:
Using Windows PowerShell
This is the preferred option as it greatly simplifies the developer experience. Microsoft has provided Windows PowerShell Cmdlets that encapsulate all of the rules, constraints, and methods required to work with DAC objects. For more information about the Windows PowerShell Cmdlets see, AD DS Administration Cmdlets in Windows PowerShell
The relevant cmdlets are:
- Set/Get/New/Remove ADClaimType
- Set/Get/New/Remove ADResourceProperty
- Set/Get/New/Remove ADCentralAccessRule
- Set/Get/New/Remove ADCentralAccessPolicy
LDAP offers better performance; however, it is more complex. You must take great care to follow the rules and constraints for these objects. For more information about LDAP options see the remaining How-to topics in this section beginng with, Dynamic Access Control objects in Active Directory.
For development environments where it is important for your code to interact with Active Directory over other interfaces directly (for example: LDAP), you must consider the following constrains for managing claim type, resource property, central access rules, central access policies, and resource property list objects.
In general, validations stated in this topic apply to create and set operations. On read operation, you must keep the validation consistent with schema requirements to allow proper display of the existing information.
- If you are using Active Directory module for PowerShell, it provides proper validation for data input. For more information, see the Deploy a Central Access Policy (Demonstration Steps) on TechNet.
All the objects mentioned in this scenario live in configuration naming context in Active Directory, the objects will be replicated throughout the entire forest
This code sample will enumerate all of the Dynamic Access Control objects in Active Directory.
Claim type (msDS-ClaimType) resides in msDS-ClaimTypes container and is used in ACL expressions and central access rule expressions.
Resource Property (msDS-ResourceProperty) resides in msDS-ResourceProperties container, and is used to classify files on Windows Server 2012 File Server as well as used in central access rule expression.
This topic describes a Central Access Rule (CAR).
This topic describes a Central Access Policy (CAP).
- Deploy a Central Access Policy (Demonstration Steps)
- The Extensible File Classification Infrastructure
- Working with File Classification
- How to enrich audit reporting