DAC (Dynamic Access Control) is a new authorization model that greatly simplifies management of access to information resources.
With DAC, Microsoft introduces Attribute Based Access Control (ABAC) natively in the operating system which gives companies the ability to define policies that control access to files based on their business value and risk by utilizing the classification of the data and properties of users or devices in determining access.
The key appeal of DAC is that it extends Group Policy and access-control functions applied to file shares managed by AD. It does so by integrating claims-based authentication using Kerberos tokens.
Instead of only describing users by their individual SID and which security groups they're assigned to, DAC also makes it possible to validate claims based on different attributes in Active Directory, such as a user's department, location, role, title and security clearance, to name just a few, as well as how files are classified.
DAC operates using a combination of user/device claims and resource properties and by applying Claim Rules that take those components into consideration in determining access to resources.
Claims are user or computer attributes that are (a) based upon Active Directory schema attributes; and (b) extensions to a user or computer’s Kerberos security token. Resource properties can be assigned to files/folders that can be used to identify and classify documents as well as be used as part of the authorization process.
For example, a user might have complete read-write access to certain files when at a specific location, but read-only access when accessing those same files from home. Another condition might include what kind of device is accessing the data, such as a user-owned computer, tablet or smartphone versus a company-administered system.
DAC allows for the creation of Central access policies for files allowing organizations to centrally deploy and manage authorization policies that include conditional expressions using user claims, device claims, and resource properties. These polices could be based on compliance and business regulatory requirements. For example, control access to files by applying safety-net policies that use central access policies defining who can and cannot access health information within the organization. These policies are created and hosted in Active Directory, therefore making it easier to manage and deploy.
In summary DAC offers:
- More security through a more precise control of access rights
- Easy formulation and integration of business requirements
- Protection of files regardless of their storage location
- Complete and company-wide solution