Dynamic Access Control developer extensibility

The Dynamic Access Control (DAC) scenario, as delivered in Windows Server 2012, has a variety of developer extensibility points that add customization potential for your applications development. Many of these extensibility points are outlined in this topic, some with additional information and others to be further developed.


The DAC developer extensibility areas are organized by types of extensibility. These are outlined in the set of tables that follow. These extensibility points, or programmatic customization points, are intended for experienced programmers.

Managing Central Access Policies

Creating Central Access Policies (CAP) for files allow organizations to centrally deploy and manage authorization policies that include conditional expressions using security groups, user claims, device claims, and resource properties. These polices are based on compliance and business regulatory requirements. These policies are created and hosted in Active Directory (AD), therefore making it easier to manage and deploy.

Some aspects of CAP management can be further configured programmatically through AD and are outlined as follows.

For more information on CAPs, see Dynamic Access Control Scenario: Central Access Policy on TechNet or Centralized Authorization Policy on MSDN.

Scenario Guidance
A partner that develops policy management and modeling solutions integrates with the DAC access and audit policy so that the policies can be configured through the policy management solution that the partner provides.
How to use central access policies for DAC
Active directory configuration for DAC objects: How to set up a claim type, Dynamic Access Control objects in Active Directory
How to read DAC objects using LDAP

User claim provisioning to Active Directory

In Windows Server 2012, the AD Domain Server maintains a claims dictionary in each forest and all claim types in use within the forest are defined at the AD forest level.

Custom user claims provisioning can be effected programmatically.

Scenario Guidance
A partner develops a product that allows organizations to manage user claims in AD so that organizations can source the claims from multiple repositories as well as delegate the assignment of specific claims and specific values for these claims.
How to use central access policies
How to set up a claim type
Dynamic Access Control containers in Active Directory
How to set up a resource property

Creating DAC compatible file classification properties

By creating file classification properties on files in a manner compatible with DAC, Central Access Policies are correctly applied to files that are stored or move to a Windows Server 2012 share.

Scenario Guidance
Providing automatic and manual classification of files on Windows and non-Windows based machines. When those files are moved to a DAC enabled workload, the corresponding Central Access Policy is enforced.
Accessing Classification Properties
[MS-FCIADS]: File Classification Infrastructure Alternate Data Stream (ADS) File Format

Classification-aware applications

Classification-aware applications are applications that create or consume file classification properties on files. These applications range from a Line of Business type application that classify files they create based on the value of the data, for example Impact=High, to Information Worker applications such as a data entry application that allows the user to determine the classification of the information they are creating.

Scenario Guidance
Users saving a picture in a paint application are asked to determine the classification of the file before they are allowed to save the file.
Applications can read the classification information on files they are manipulating and display it so that users can view how the file is classified. They can also allow users to change the classification properties, updating them using the classification APIs. For more information see Accessing Classification Properties
Users are manually classifying many files on client and server.
Bulk file classification: The classification manager interfaces (see the File Server Resource Manager (FSRM) Interfaces topic) provides clear, enumerate, get, and set capability for classification properties on files. It also provides a Classifying Files API to efficiently classify files as a bulk operation through call-backs within FCI for each individual file. For more information, see Classifying Files.
A Data Leakage Protection (DLP) solution sees the classification and acts on it.
A data leakage protection solution can read classification information stored on the file then apply a policy such as alerting users that are trying to store sensitive information on a USB device or a user is sending sensitive documents through email. For more information see Accessing Classification Properties.
An application moving data from one repository to another can classify the data based on its knowledge of the data.
When a line of business application moves data from a repository, such as a database, and stores it on a file server (e.g.: as an Excel spreadsheet) it can also classify the file according to the business needs (e.g.: PII=Yes, Impact=High). For more information see Accessing Classification Properties.

Audit event analysis for compliance reporting and forensic analysis

Security auditing is not new to Windows, it has been around since Windows NT. In Windows Server 2012 and Windows 8 we have made significant improvements to auditing by:

  • Reducing audit volume by introducing expression-based audit policies that help target relevant data
  • Improving consumption of audit events by adding more metadata to the events which in turn can be consumed by audit analysis tools to enable users get to the most relevant events quickly
  • Making it possible to test changes to CAPs directly in the production environment through Staging

Developers of audit event reporting and analysis tools can leverage these improvements to enhance their products with better audit reports that help users answer questions such as "Who access my finance information in the last three months?" or "How will this proposed change in access policy impact my users?".

Scenario Guidance
The developer of an audit event analysis and reporting solution wants to enhance his product with new reports that help users understand file access in their Enterprise and helps them deploy changes to the CAPs.
How to enrich audit reporting covers these events: file access, user logon and staging

Integrating DAC access and audit policies into applications

Integrating DAC access and audit policies into applications enables those applications to use the new authorization capabilities in Windows Server 2012 so that they can implement scenarios such as centrally managed access control that spans across the application and other data repositories or access control based on conditional expressions and user/device claims.

Scenario Guidance
Integrating claims, resource properties and conditional expressions into custom resource managers.
Understanding Windows Access Control - see How AccessCheck Works
Performing runtime authorization in resource manager applications Using AuthZ API section - see Effective access rights for files sample
How to integrate the ACL-UI into an application - see Authentication and authorization DACL editor sample
Programmatically manage access control policy: AddConditionalAce, AddResourceAttributeAce
How to author SDDL based on SDDL reference content - see Authentication and authorization DACL editor sample and [MS-DTYP]: Security Descriptor Description Language
Use Central Access Policies (CAP) on resource manager applications such as non-Windows file servers.
Reading CAP definitions from AD - see How to enumerate Active Directory definitions for user and device claims and resource properties and AddScopedPolicyIDAce
Setting resource attributes and central access control - see Setting central access control and resource attributes sample
Deploy a Central Access Policy using PowerShell - see Central access policy ID lookup sample
Deploy a Central Access Policy (Demonstration Steps)

Constructing a plug-in for the File Classification Infrastructure

Constructing a plug-in for the File Classification Infrastructure (FCI) is enables Data Leakage Prevention (DLP) solutions to plug into the new DAC capabilities so that customers can control access, audit and encryption based on the DLP solution's analysis engine.

Scenario Guidance
Advanced classification used to apply access, audit, encryption, and data life-cycle management policies to information on file servers.
Developing FCI Pipeline Modules

Data management for file servers

Data management for file servers provides solutions to manage the vast amount of fast growing unstructured data on file servers. Using the FCI capabilities, developers can enhance their product to enable data management based on the business value (classification properties) of the files so that organizations can define data management policies across their unstructured repositories.

Scenario Guidance
A partner product implements data life-cycle management on file servers based on classification of the data.
For examples see Accessing Classification Properties and Classifying Files.

DAC How-to topics

How to configure a file management task

How to create a custom storage plug-in

How to enrich audit reporting

How to read Dynamic Access Control objects using LDAP

How to use custom file classification

How to use central access policies for dynamic access control

Dynamic Access Control containers in Active Directory

How to set up a claim type

How to set up a resource property

How to setup a central access rule

How to setup a central access policy

Additional resources

Deploy a Central Access Policy (Demonstration Steps) [TechNet]

Dynamic Access Control: Scenario Overview [TechNet]

Extensible File Classification Infrastructure

Working with File Classification

Automatically uploading files from File Server to SharePoint using the File Classification Infrastructure (FCI)

Create a Custom File Management Task

Developing FCI Pipeline Modules

Using FSRM

FSRM Interfaces

What's New in FSRM in Windows Server 2012


Central Access Policy

How AccessCheck Works