AGDLP
Encyclopedia
AGDLP briefly summarizes Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...

's recommendations for implementing role based access controls (RBAC) using nested groups in a native-mode Active Directory
Active Directory
Active Directory is a directory service created by Microsoft for Windows domain networks. It is included in most Windows Server operating systems. Server computers on which Active Directory is running are called domain controllers....

 (AD) domain: User and computer accounts are members of global groups that represent business roles, which are members of domain local groups that describe resource permissions or user rights assignments. AGUDLP (for "account, global, universal, domain local, permission") and AGLP (for "account, global, local, permission") summarize similar RBAC implementation schemes in Active Directory forests and in Windows NT domains
Windows Server domain
A Windows domain is a collection of security principals that share a central directory database. This central database contains the user accounts and security information for...

, respectively.

Details

Role based access controls simplify routine account management operations and facilitate security audits. System administrators do not assign permissions directly to individual user accounts
User (computing)
A user is an agent, either a human agent or software agent, who uses a computer or network service. A user often has a user account and is identified by a username , screen name , nickname , or handle, which is derived from the identical Citizen's Band radio term.Users are...

. Instead, individuals acquire access through their role
Role
A role or a social role is a set of connected behaviours, rights and obligations as conceptualised by actors in a social situation. It is an expected or free or continuously changing behaviour and may have a given individual social status or social position...

s within an organization, which eliminates the need to edit a potentially large (and frequently changing) number of resource permissions and user rights assignments when creating, modifying, or deleting user accounts. Unlike traditional access control lists, permissions in RBAC describe meaningful operations within a particular application or system instead of the underlying low-level data object access methods. Storing roles and permissions in a centralized database
Database
A database is an organized collection of data for one or more purposes, usually in digital form. The data are typically organized to model relevant aspects of reality , in a way that supports processes requiring this information...

 or directory service
Directory service
A directory service is the software system that stores, organizes and provides access to information in a directory. In software engineering, a directory is a map between names and values. It allows the lookup of values given a name, similar to a dictionary...

 simplifies the process of ascertaining and controlling role memberships and role permissions. Auditors can analyze permissions assignments from a single location without having to understand the resource-specific implementation details of a particular access control.

RBAC in a Single AD Domain

Microsoft's implementation of RBAC leverages the different security group scopes featured in Active Directory:

Global security groups : Domain security groups with global scope represent business roles or job functions within the domain. These groups may contain accounts and other global groups from the same domain, and they can be used by resources in any domain in the forest. They can be changed frequently without causing global catalog replication.

Domain local security groups : Domain security groups with domain local scope describe the low-level permissions or user rights to which they are assigned. These groups can only be used by systems in the same domain. Domain local groups may contain accounts, global groups, and universal groups from any domain, as well as domain local groups from the same domain.

Global groups that represent business roles should contain only user or computer accounts. Likewise, domain local groups that describe resource permissions or user rights should contain only global groups that represent business roles. Accounts or business roles should never be granted permissions or rights directly, as this complicates subsequent rights analysis.

RBAC in AD Forests

In multi-domain environments, the different domains within an AD forest may only be connected by expensive WAN
Wide area network
A wide area network is a telecommunication network that covers a broad area . Business and government entities utilize WANs to relay data among employees, clients, buyers, and suppliers from various geographical locations...

 links or VPN connections, so special domain controllers called global catalog servers cache certain directory object classes and attribute types in order to reduce costly or slow inter-domain directory lookups. Objects cached by the global catalog servers include universal groups but not global groups, making membership look-ups of universal groups much faster than similar queries of global groups. However, any change to a universal group triggers (potentially expensive) global catalog replication, and changes to universal groups require forest-wide security rights inappropriate in most large enterprises. These two limitations prevent universal security groups from completely replacing global security groups as the sole representatives of an enterprise's business roles. Instead, RBAC implementations in these environments use universal security groups to represent roles across the enterprise while retaining domain-specific global security groups, as illustrated by the abbreviation AGUDLP.

RBAC in Non-AD Domains

Domains in Windows NT 4.0 and earlier only have global (domain-level) and local (non-domain) groups and do not support group nesting at the domain level. The abbreviation AGLP refers to these limitations as applied to RBAC implementations in older domains: Global groups represent business roles, while local groups (created on the domain member servers themselves) represent permissions or user rights.

Example

Given a shared folder, \\nyc-ex-svr-01\groups\bizdev; a business development group within the organization's Marketing
Marketing
Marketing is the process used to determine what products or services may be of interest to customers, and the strategy to use in sales, communications and business development. It generates the strategy that underlies sales techniques, business communication, and business developments...

 department, represented in Active Directory as the (existing) global security group "Business Development Team Member"; and a requirement that the entire group have read-write access to the shared folder, an administrator following AGDLP might implement the access control as follows:
  1. Create a new domain local security group in Active Directory named "Change permission on \\nyc-ex-svr-01\groups\bizdev".
  2. Grant that domain local group the NTFS "change" permission set (read, write, execute/modify, delete) on the "bizdev" folder. (Note that NTFS permissions
    Security descriptor
    Security descriptors are data structures of security information for securable Windows objects, that is objects that can be identified by a unique name...

     are different from share permissions
    Share permissions
    Share permissions can be implemented on NTFS and FAT file systems for shared resource.Different permissions are Read, Change and Full control.Permissions are also implemented on Samba.-References:...

    .)
  3. Make the "Business Development Team Member" group a member of the "Change permission on \\nyc-ex-svr-01\groups\bizdev" group.


To highlight the advantages of RBAC using this example, if the Business Development Team required additional permissions on the "bizdev" folder, a system administrator would only need to edit a single access control entry (ACE) instead of, in the worst case, editing as many ACEs as there are users with access to the folder.
The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK