Secure file access by using Dynamic Access Control (DAC) overview
You can secure access by using Dynamic Access Control and by creating central access policies in Active Directory and applying them to files and folders on SVMs through applied Group Policy Objects (GPOs). You can configure auditing to use central access policy staging events to see the effects of changes to central access policies before you apply them.
Additions to CIFS credentials
Before Dynamic Access Control, a CIFS credential included a security principal’s (the user’s) identity and Windows group membership. With Dynamic Access Control, three more types of information are added to the credential—device identity, device claims, and user claims:
The analog of the user’s identity information, except it is the identity and group membership of the device that the user is logging in from.
Assertions about a device security principal. For example, a device claim might be that it is a member of a specific OU.
Assertions about a user security principal. For example, a user claim might be that their AD account is a member of a specific OU.
Central access policies
Central access policies for files enable organizations to centrally deploy and manage authorization policies that include conditional expressions using user groups, user claims, device claims, and resource properties.
For example, for accessing high business impact data, a user needs to be a full time employee and only have access to the data from a managed device. Central access policies are defined in Active Directory and distributed to file servers via the GPO mechanism.
Central access policy staging with advanced auditing
Central access policies can be “staged”, in which case they are evaluated in a “what-if” manner during file access checks. The results of what would have happened if the policy was in effect and how that differs from what is currently configured are logged as an audit event. In this way, administrators can use audit event logs to study the impact of an access policy change before actually putting the policy in play. After evaluating the impact of an access policy change, the policy can be deployed via GPOs to the desired SVMs.