Conditional Access Template links
Active Roles enhances its authorization model by introducing conditional Access Template links, and takes advantage of conditional links by inserting user claims, device claims, and target object properties, into conditional expressions specified in Access Rules. An Access Rule can be applied to an Access Template link, causing the link to have an effect only if the condition of the access rule evaluates to True. During permission check, Active Roles inserts the claims and properties into conditional expressions found in the Access Rule, evaluates these expressions, and enables or disables the Access Template link based on results of the evaluation. In this way, the Access Rule determines the results of the permission check.
Access Rules, along with conditional Access Template links, enable Active Roles to leverage claims for authorization to securable objects. This authorization mechanism (known as claims-based access control) supplements Access Template based access control to provide an additional layer of authorization that is flexible to the varying needs of the enterprise environment.
Management of Windows claims
Claims are statements about an authenticated user or device, issued by an Active Directory domain controller running Windows Server 2016 or later. Claims can contain information about the user or device retrieved from Active Directory.
Dynamic Access Control (DAC), a feature of Windows Server 2012, employs claims-based authorization to create versatile and flexible access controls on sensitive resources by using access rules that evaluate information about the user who accesses those resources and about the device from which the user accesses those resources. By leveraging claims in the authentication token of the user, DAC makes it possible to allow or deny access to resources based on the Active Directory attributes of the user or device.
Active Roles uses claims-based access rules to improve authorization management for Active Directory administration. With claims-based access rules, Active Roles adds more flexibility and precision in delegating control of Active Directory objects, such as users, computers or groups, by extending the Active Roles authorization model to recognize and evaluate the claims specific to the user who requests access to those objects or device used to request access.
For the steps of managing Windows claims in Active Roles, see Managing Windows claims in the Active Roles Administration Guide.
Claim Type management overview
After you enable the KDC support for claims, compound authentication and Kerberos armoring Group Policy setting, your Windows Server 2012 (or later) domain controllers are ready to issue claims in response to authentication requests. However, you need to configure claim types before the domain controller can issue claims.
You can use Active Roles to create attribute-based claim types that source their information from user and computer attributes. The claim types you create are stored in the configuration partition of the Active Directory forest. All domains within that forest share the claim types and domain controllers from those respective domains issue claim information during user authentication.
It is important that the Active Directory attributes intended to source claim types contain accurate information. Incorrect attribute information can lead to unexpected access to data using claims-based authorization. You can ensure the accuracy of information held in claim source attributes by leveraging property generation and validation policies provided by Active Roles.
You can use the Active Roles Console to create, modify and delete user and computer claim types. The claim type objects are stored in the configuration partition of the Active Directory forest, and appear under the Active Directory > Claim Types node in the Active Roles Console. If you have domains from multiple forests registered with Active Roles, then the Console tree provides a separate Claim Types node for each forest. The forest to which a given Claim Types node applies is identified by the name (or a part of the name) of the forest root domain shown in brackets next to the name of the node.
The Active Roles Console provides the following pages for creating and modifying claim types:
-
Source Attribute: On this page you can select the Active Directory attribute from which the claim value is obtained, specify the display name and description for the claim type, and choose whether the claim type applies to a user, computer, or both.
-
Suggested Values: This page allows you to configure predetermined selectable values from which you can choose when using the claim type in a conditional expression for an access rule.
On these pages you can view or change the following configuration settings.
Source attribute setting
On the Source Attribute page you can select, view or change the source attribute for the claim type. The source attribute is the Active Directory attribute from which the value is obtained for claims of this claim type.
The page provides a list allowing you to select the desired attribute. The list includes the attributes for the User, Computer, InetOrgPerson, ManagedServiceAccount, GroupManagedServiceAccount and Auxiliary classes of object, with the exception of:
-
Attributes marked as defunct in the Active Directory schema.
-
Password attributes such as dBCSPwd, lmPwdHistory, and unicodePwd.
-
Attributes that are not replicated among domain controllers.
-
Attributes that are not available on read-only domain controllers.
-
Attributes with an Active Directory syntax type other than:
-
String: DN String, Unicode, NT Security Descriptor, or Object ID.
-
Integer or Large Integer.
-
Boolean.
For an existing claim type, the page displays the current source attribute of the claim type, and allows you to select a different attribute of the same syntax type. However, changing the source attribute does not change the ID of the claim type.