Access Control Model (ACM)

Enables control on the ability of a process to access objects and other resources in active directory based on:

Access Tokens: ****security context of a process make by: identity and privileges of user
Security Descriptors make by: SID of the owner, Discretionary ACL (DACL) and System ACL (SACL)

Access Control List (ACL)

It is a list of Access Control Entries (ACE). ACE corresponds to individual permission or audits access. Who has permission and what can be done on an object?

Two types:

Discretionary ACL (DACL): Defines the permissions trustees (a user or group, more in general security principles) have on an object
System ACL (SACL): Logs success and failure audit messages when an object is accessed

Untitled

A user receives a token when logging in.
We then have an object that can be a share as well as a user or a group or an Active Directory OU.

Untitled

The user token is validated against object ACLs.

Untitled

Example: How works DACLs?

Untitled

Il processo o thread sulla sinistra dell’immagine ha ereditato un token di un Security Principal e ha associati uno User SID, un Group SID, le PAC e altre informazioni di accesso.

Sull’Object vengono invece definite le DACL e/o SACL.

Untitled

Thread A has an Access Token with the privileges of user Andrew and groups A, B, and C to which Andrew belongs. When the ACL check for Thread A is done during access to the Object, it is denied because ACE 1 is in "Access denied" for Read, Write and Execute operations for user Andrew.