2 min to read
Effective Permissions Report with DAC - JiJi AuditReporter
Effective Permissions Report with DAC - JiJi AuditReporter
Dynamic access control (DAC) facility, introduced in windows server 8 is a nice provision for security management. Previous versions of windows enforced file/folder security by granting access to the users and groups directly. Many security groups have been created and managed to offer access. With DAC, administrators could add conditional expressions with AD attributes to grant the permissions. This has considerably reduced group management complexities. Dynamic Access Control can be applied in addition to any existing share and NTFS permissions, which enforces centrally governed rules. Dynamic Access Control is one of the key components of Active Directory in Windows Server 8.
Claims / Resources
Earlier, claims based authorization has been used in Active Directory Federation Services (ADFS) and Windows Identity Foundation (WIF). In similar fashion, claim based authorization is applied in DAC with AD attribute values as a claim. These claims can be used in Central Access Policy to define the condition for access. You can set claims for both users and devices. For example “user.department == Finance” and “device.managed == true”. The other exclusive feature which server 8 attracts everyone is classifying the file/folders by tagging the resource properties. Hence, also with the resources’ properties the access is controlled. So, now you could write a condition like “resource.country == US” and “user.department == Finance”.
JiJi AuditReporter - Effective Permissions Report
JiJi AuditReporter is an auditing tool which supports windows server 8, generates effective permissions report for a set of users on share(s). Effective access permissions are calculated by accounting the existing share/ NTFS permissions, Dynamic access control (DAC) and Central access policy (CAP). Hence this report displays the resultant access permissions for the users on shares.
Some of the nice features of Effective Permissions Report are:
- Effective permission for set of users on set of shares are calculated in one go.
- User’s claims are automatically retrieved from Active Directory attributes for effective permission calculation.
- The generated report can be switched between Advanced Permission View and Basic Permission View.
- The generated report can be filtered as in Microsoft Excel.
- The generated report can be exported to PDF/HTML/Excel.
The below screen shot shows how the administrators can provide multiple users and multiple shares to generate the E ffective Permissions Report. Here the administrator has the folder option to generate the Effective Permission Report for top level folder or for given ‘n’ level. Even the administrator has option to exclude files in the folders.
The below screen shot shows the part of the Effective Permission Report generated.
The administrator can group the generated report by any of the columns as shown below (Grouped by share path and user name).
This grouped report is same as in the Windows Server 8 Effective Permission Security Properties Tab. The above generated report is shown with Advanced Permissions set. Administrator can even switch to Basic Permission set also as shown below.
In the generated report, we can filter the report based on multiple columns as in Microsoft Excel.