Supported Dynamic Access Control functionality

Contributors

If you want to use Dynamic Access Control (DAC) on your CIFS server, you need to understand how ONTAP supports Dynamic Access Control functionality in Active Directory environments.

Supported for Dynamic Access Control

ONTAP supports the following functionality when Dynamic Access Control is enabled on the CIFS server:

Functionality Comments

Claims into the file system

Claims are simple name and value pairs that state some truth about a user. User credentials now contain claim information, and security descriptors on files can perform access checks that include claims checks. This gives administrators a finer level of control over who can access files.

Conditional expressions to file access checks

When modifying the security parameters of a file, users can now add arbitrarily complex conditional expressions to the file’s security descriptor. The conditional expression can include checks for claims.

Central control of file access via central access policies

Central access policies are a kind of ACL stored in Active Directory that can be tagged to a file. Access to the file is only granted if the access checks of both the security descriptor on disk and the tagged central access policy allows access.This gives administrators the ability to control access to files from a central location (AD) without having to modify the security descriptor on disk.

Central access policy staging

Adds the ability to try out security changes without affecting actual file access, by “staging” a change to the central access policies, and seeing the effect of the change in an audit report.

Support for displaying information about central access policy security by using the ONTAP CLI

Extends the vserver security file-directory show command to display information about applied central access policies.

Security tracing that includes central access policies

Extends the vserver security trace command family to display results that include information about applied central access policies.

Unsupported for Dynamic Access Control

ONTAP does not support the following functionality when Dynamic Access Control is enabled on the CIFS server:

Functionality Comments

Automatic classification of NTFS file system objects

This is an extension to the Windows File Classification Infrastructure that is not supported in ONTAP.

Advanced auditing other than central access policy staging

Only central access policy staging is supported for advanced auditing.