Microsoft introduced Dynamic Access Control (DAC) as its claims-based authorization solution. It’s revolutionary, because it enables admins to more granularly control access to file resources, based on attributes of objects in Active Directory, like department, manager and country, instead of through an elaborate and obscure group membership structure and static Access Control Lists (ACLs) on files and folders.
More information on actually configuring Dynamic Access Control can be found here.
If you want to go and use Dynamic Access Control in your environment, I feel you should be aware of these 10 things:
- Dynamic Access Control is a v1 product.
While Dynamic Access Control (DAC) is available in the Release to Manufacturers (RTM) version of Windows Server 2012, by no means, this implies the feature is as ready as you need it to be to be able to run it in your production environment. Many organizations hold off on introducing Microsoft technologies until v3 to avoid problems other organizations had with (for instance) Hyper-V in Windows Server 2008, SharePoint Portal Server 2001 and archiving in Exchange Server.I should not, however, that most of the time, the culprit is not faulty code, but incompatibilities with older platforms and applications. DACs incompatibility with Windows XP for instance, means 40% of organizations cannot deploy claims-based access natively to these clients.
- Dynamic Access Control is currently limited to File Services only.
While you might look to apply Dynamic Access Control (DAC) to accommodate rich authorization scenarios, with Windows Server 2012, you will only be able to use claims for authorization on File Services only. Claims-based Access Control is not available for Microsoft Exchange or Microsoft SQL Server. The consequence is you will need to deploy both a group membership-based access control solution and Dynamic Access Control throughout your organization.
- Token bloat is just around the corner with Dynamic Access Control.
This coexistence, even if you only have File Services in your organization and you can quickly get rid of your group membership-based authorization solution, will lead to an initial growth in the tokens of your colleagues. The improved SID Compression in Windows Server 2012 might be enough to compensate for it, but it also might not.
- Calculating the expected ticket sizes is no longer straightforward.
If you want to calculate what the impact on ticket size would be in your situation, then you would have a hard time doing so, because Microsoft KnowledgeBase article 327825 specifically mentions the following: Dynamic Access Control adds Active Directory Claims to the Ticket. Therefore,
calculating the expected ticket sizes is no longer straightforward. The expectation
is that tickets that are issued by Windows Server 2012 domain controllers are
smaller than the same tickets that are issued from older operating system
versions. Claims add to the ticket size. However, after Windows Server 2012 file
servers are using claims broadly, you can expect to phase out a significant
number of your groups that control file access to trim ticket sizes.
I think point 2 adequately addresses the issues surrounding the ability to trim ticket sizes.
- Dynamic Access Control offers no Deny rules, only Allow rules.
Microsoft has shifted from a security point of view on Identity and Access Management, to an access point of view. Instead of securing an environment by limiting people access, in recent Windows (Server) releases, you will have to specifically grant access before anyone can access a resource. The most prevalent situation where you can observe this shift is the difference in standard Share permissions between Windows XP, Windows Server 2003 (R2) and more recent Windows (Server) versions.From this new point of view, as an admin you won’t have to be using deny rights or permissions. You simply allow the people with the right attributes access.
- Attribute integrity is getting more important
As a consequence, attribute integrity is getting more important. When you want to allow access to full-time employees (FTEs) only, but lack the proper processes to convert a part-time employee to a full-time one, you will inadvertently deny access to people with even the slightest skew in attributes. Even Microsoft IT faced this problem in their first tests.
- Naming conventions are important when deploying Dynamic Access Control
Attribute integrity processes depend on naming conventions for locations, departments and descriptions. without them, your claims would not make sense or might not be as specific as you want them to be, because you’d build your claims-based access through ‘contains’ rules, instead of ‘equal to’ and ‘not equal to’ rules to address the situation.
- There’s no built-in way to migrate Dynamic Access Control cross-forest.
While the rules and policies used to define Dynamic Access Control-based access are stored in Active Directory, the current Active Directory cross-forest migration tool, the Microsoft Active Directory Migration Tool (ADMT) does not support migrating these rules and policies.When you can foresee a merger, divestiture or migration, putting of your Dynamic Access Control deployment might be a good idea.
- There’s no/little support by 3rd party tools for managing DAC lifecycle.
With the Dynamic Access Control (DAC) technology on the market for a year, we’re seeing little third parties delivering Dynamic Access Control-capable management tools and/or Dynamic Access Control integration with current 3rd party management tools.The NetApp integration with Dynamic Access Control stands in stark contrast to this and its competitors.
- You’ll need a File Classification strategy to fully profit from DAC
Managing access to unstructured data is not magically more straightforward when you use Dynamic Access Control. However, when you use the File Classification Infrastructure (FCI) technology on Windows Server 2012-based File Servers in combination with Dynamic Access Control (DAC), it’s a different story. You can then grant granular access to files based on their contents. The dark side? You will need a file classification strategy, before you can actually tap into this potential.