Skip to main content

Windows Dev Center

Centralized Authorization Policy

The Dynamic Access Control (DAC) scenario enables centralized access control administration for enterprise file server scenarios. Most organizations have multiple areas in which they want to control access.

Examples are:

  • Controlling access to sensitive information, in which files marked as sensitive would have specific permissions
  • Controlling access to files containing personally identifiable information (PII.)
  • Limiting access to documents based on the organizations retention policies.
Several new authorization policy abstractions are provided to allow an administrator to define these policies centrally and to simplify the definition process by allowing each of these access requirements to be defined and maintained separately but applied as one policy.

Two new Active Directory policy objects, a Central Authorization Policy (CAP) and a Central Authorization Policy Rule (CAPR) are introduced in Windows 8 to define and apply centralized authorization policies based on expressions of claims and resource attributes. In using these objects an administrator defines a CAPR as a specific authorization policy that can be applied to resources that have a certain attribute or satisfy a certain applicability condition. for example documents labeled as "High Business Impact". CAPEs may be defined for each desired access control policy in an organization that can be expressed, and the resources to which it should be applied can be identified, in terms of Windows 8 DAC expressions. A CAP is collection of CAPRs that can be applied together on resources. The following diagram shows the relationships of the CAP and CAPE, and the conceptual steps involved in defining and applying these objects to file resources. Relationship of CAPEs and CAPs