There is a basic workflow in deploying DAC. The key component of DAC is a
central access policy. The workflow for creating a central access policy
begins with configuring claims; as mentioned previously, these are
properties used to compare user accounts and files to determine if a user
has the requirements needed to access a file. These properties, or claims,
are added to a resource property list.
The next steps involve the actual creation of the central access
policy. The resource property list is applied to this policy. The policy
is then published throughout the domain.
We can then deploy DAC to file servers, and the central access
policy is pushed out to folder shares.
The last step is to validate DAC. The process is summed up in the
chart in Figure 1.
When configuring claim types for users, you are adding existing Active
Directory attributes to the list of attributes used to evaluate who gets
access to what.
In this example deployment, we’ll use the Payroll user department
as part of the calculation to determine whether a user has access to
files in the Payroll folder share.
From Server Manager, open Tools and then Active Directory
Administrative Center, and click Dynamic Access Control. Click Claim
Type→New→Claim Type.
Under Source Attribute in the resulting window, scroll to look for
Department; then, click that attribute and make Value Type equal String.
Here, we are basing the existing Department attribute on the new claim
type we will create.
Under Display Name, type Department and click OK. (See Figure 2.)
In the Active Directory Administrative Center, you will now see a
new claim type.
Note
In Figure 2, you can see
the option “Protect from accidental deletion.” This protection is
enabled by default for objects created in DAC. If you want to delete
an object, you must uncheck this option.
