How to use central access policies for dynamic access control

You can use Central Access Policies (CAP) to control access dynamically.

There are two options for programmatic access to the Dynamic Access Control objects in Active Directory:

**Using Windows PowerShell** This is the preferred option as it greatly simplifies the developer experience. Microsoft has provided Windows PowerShell Cmdlets that encapsulate all of the rules, constraints, and methods required to work with DAC objects. For more information about the Windows PowerShell Cmdlets see, [AD DS Administration Cmdlets in Windows PowerShell](/powershell/module/addsadministration/?viewFallbackFrom=winserverr2-ps) The relevant cmdlets are:

• Set/Get/New/Remove ADClaimType
• Set/Get/New/Remove ADResourceProperty
• Set/Get/New/Remove ADCentralAccessRule
• Set/Get/New/Remove ADCentralAccessPolicy

Using LDAP
LDAP offers better performance; however, it is more complex. You must take great care to follow the rules and constraints for these objects. For more information about LDAP options see the remaining How-to topics in this section beginng with, Dynamic Access Control objects in Active Directory.

For development environments where it is important for your code to interact with Active Directory over other interfaces directly (for example: LDAP), you must consider the following constrains for managing claim type, resource property, central access rules, central access policies, and resource property list objects.

In general, validations stated in this topic apply to create and set operations. On read operation, you must keep the validation consistent with schema requirements to allow proper display of the existing information.

What you need to know

Technologies

• Active Directory
• LDAP
• PowerShell

Prerequisites

• If you are using Active Directory module for PowerShell, it provides proper validation for data input. For more information, see the Deploy a Central Access Policy (Demonstration Steps) on TechNet.

Steps

Dynamic Access Control objects in Active Directory

All the objects mentioned in this scenario live in configuration naming context in Active Directory, the objects will be replicated throughout the entire forest

How to read Dynamic Access Control objects using LDAP

This code sample will enumerate all of the Dynamic Access Control objects in Active Directory.

How to set up a claim type

Claim type (msDS-ClaimType) resides in msDS-ClaimTypes container and is used in ACL expressions and central access rule expressions.

How to set up a resource property

Resource Property (msDS-ResourceProperty) resides in msDS-ResourceProperties container, and is used to classify files on Windows Server 2012 File Server as well as used in central access rule expression.

How to setup a central access rule

This topic describes a Central Access Rule (CAR).

How to setup a central access policy

This topic describes a Central Access Policy (CAP).

Additional resources

• Deploy a Central Access Policy (Demonstration Steps)
• The Extensible File Classification Infrastructure
• Working with File Classification
• How to enrich audit reporting