Microsoft-Dynamic-Access-Control on The IT Hollow

Microsoft Dynamic Access Control (Part 1)

Mon, 28 Apr 2014 13:05:45 +0000

Microsoft Dynamic Access Control is a new way to deploy access rules to your file shares. For many moons now, System Administrators have had a tedious task of managing tens, hundreds, or thousands of security groups to control how files are accessed.

Groups of users have always needed to maintain different sets of security rules to prevent people from accessing confidential files. Human Resources obviously doesn’t want people outside their department to have access to personnel files, separate office locations may not want to share data with other offices in the same domain, and countries or cities might have different restrictions about sharing files with each other.

Microsoft Dynamic Access Control (Part 2 - Claims)

Mon, 28 Apr 2014 13:04:52 +0000

In part 1 of the series we covered some generalities about Microsoft Dynamic Access Control and a few steps needed to prepare the domain and file servers. Now let’s look at creating claims.

A claim is a user, device or resource property. A user in Active Directory will have properties such as Location, Department, manager, etc. Each of these properties is a claim but for any actions to be utilized by Direct Access, they have to be defined.

Microsoft Dynamic Access Control (Part 3 – Resource Properties)

Mon, 28 Apr 2014 13:03:00 +0000

So far we’ve covered:

In this post we’ll look at Resource Properties.

Resource Properties

A resource property is a claim that describes the characteristics of an object in the file system. A claim is a descriptor of a user or a device whereas a resource property is a characteristic of a file or folder.

As an example, we have a folder with HIPPA related information in it. A description can be added to this folder to indicate that it has Protected Health Information (PHI) contained in that folder. This PHI description is a resource property.

Microsoft Dynamic Access Control (Part 4 – Rules and Policies)

Mon, 28 Apr 2014 13:01:47 +0000

We’ve discussed Initial configuration steps, Claims, and Resource Properties and we’re starting to see the power of Microsoft’s Dynamic Access Control, but we need a better way to manage these and that’s why we’ve come to “Rules and Policies”.

A Central Access Rule can be used to take claims such as users in a department and match them up with permissions on a filefolder with specific resource properties. This is where the real power comes into play because now we don’t have to go through and map these for each individual file. We’re setting a general policy for the entire organization all at once.

Microsoft Dynamic Access Control (Part 5 - Auto Classification)

Mon, 28 Apr 2014 13:00:33 +0000

In the first four parts of the Dynamic Access Control Series we covered Initial Configurations, Claims, Resource Properties and Rules Policies. These are working great in our environment but we still have to go through and manage the classification tags. Wouldn’t it be easier to have some files automatically tagged with a certain resource classification?

Enter File Server Resource Manager to the rescue!

Classification Rules

From within File Server Resource Manager (FSRM) go to Classification Rules and choose to “Create Classification Rule…”