IT:AD:Design:Investigations:Security:Authorisation:DAC / IT:AD:Design:Investigations:Security:Authorisation / IT:AD:Design:Investigations:Security / IT:AD:Design:Investigations / IT:AD:Design / IT:AD (IT App Development) / IT [Notes]

it:ad:design:investigations:security:authorisation:dac

(UP)

Summary

Access is determined by the Owner of the Object (ie, at his/her Discretion).

There are two parts to the solution:

Security Tokens (REF.aspx)), which contain:
- The security identifier (SID) for the user's account
- SIDs for the groups of which the user is a member
- A logon SID that identifies the current logon session
- A list of the privileges held by either the user or the user's groups
- An owner SID
- The SID for the primary group
- The default DACL that the system uses when the user creates a securable object without specifying a security descriptor
- The source of the access token
- Whether the token is a primary or impersonation token
- An optional list of restricting SIDs
- Current impersonation levels
- Other statistics
SID's which define:
- Ownership:
  - The Owner/Trustee starts as the Object's Creator, until reassigned to another Trustee.
    - Note that in NTFS, if the Owner is a member of the Administrators group, the Owner becomes the Administrators group.
- Access Permissions:
  - A per-Object list of permissions Subject users have on the Object.

A DAC is implemented using an actual (or implied) Security Descriptor per object: * Descriptors

As far I as I know, there are no pre built .NET libraries that one can use right out of the box. Hence:

Design

Look at rhino security for maybe a way to do it by hand… http://weblogs.asp.net/arturtrosin/archive/2009/04/02/rhino-tools-rhino-security-guide.aspx

/home/skysigal/public_html/data/pages/it/ad/design/investigations/security/authorisation/dac.txt
Last modified: 2023/11/04 02:46
by 127.0.0.1