Events
Nov 19, 11 PM - Nov 21, 11 PM
Gain the competitive edge you need with powerful AI and Cloud solutions by attending Microsoft Ignite online.
Register nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
The purpose of the Central Authorization Policy Rule (CAPR) is to provide a domain-wide definition of an isolated aspect of the organization's authorization policy. The administrator defines the CAPR to enforce one of the specific authorization requirements. Since the CAPR defines only one specific desired requirement of the authorization policy it can be more simply defined and understood than if all the authorization policy requirements of the organization are compiled into a single policy definition.
The CAPR has the following attributes:
During access check, the CAPR is be evaluated for applicability based on the applicability expression. If a CAPR is applicable, it is evaluated for whether it provides the requesting user the requested access to the identified resource. The results of the CAPE evaluation is then logically joined by AND with the results of the DACL on the resource and any other applicable CAPRs in effect on the resource.
Example CAPRs:
[HBI-POLICY]
APPLIES-TO="(@resource.confidentiality == HBI"
SD ="D:(A;;FA;;;AU;(@memberOf("Smartcard Logon")))"
StagingSD = "D:(A;;FA;;;AU;(@memberOf("Smartcard Logon") AND memberOfAny(Resource.ProjectGroups)))"
description="Control access to sensitive information"
[RETENTION-POLICY]
Applies-To="@resource.retention == true"
SD ="D:(A;;;FA;;BA)(A;;FR;;;WD)"
description="If the document is marked for retention, then it is read-only for everyone however Local Admins have
full control to them to put them out of retention when the time comes"
[TEST-FINANCE-POLICY]
Applies-To="@resource.label == 'finance'"
SD="D:(A;;FA;;;AU;(member_of(FinanceGroup))"
description="Department: Only employees of the finance department should be able to read documents labeled as finance"
In Windows 8 deny ACEs will not be supported in a CAPR. The CAPR authoring UX will not allow creation of a deny ACE. Additionally, when the LSA retrieves the CAP from Active Directory, LSA will verify that no CAPRs have deny ACEs. If a deny ACE is found in a CAPR then the CAP will be treated as invalid and not be copied to the registry or SRM.
Note
The access check will not enforce that no deny ACEs are present. Deny ACEs in a CAPR will be applied. It is expected that authoring tools will prevent this from happening.
CAPRs are created though a new UX provided in Active Directory Administrative Center (ADAC.) In ADAC a new task option is provided to create a CAPR. When this task is selected, ADAC will prompt the user with a dialog asking the user for a CAPR name and a description. When these are provided, the controls to define any of the remaining CAPR elements become enabled. For each of the remaining CAPR elements, the UX will call out to the ACL-UI to allow definition of expression and/or ACLs.
Events
Nov 19, 11 PM - Nov 21, 11 PM
Gain the competitive edge you need with powerful AI and Cloud solutions by attending Microsoft Ignite online.
Register now