Quantcast
Channel: File Services and Storage forum
Viewing all articles
Browse latest Browse all 13565

Dynamic Access Control - Multiple Rules

$
0
0

Greetings!

My aim: Protect a Share only with DAC and without using AD-Groups, but allow different access to differently classified users.

In Detail:
Share - Auth.Users - Full
NTFS - Auth.Users - Full (come down, testing purposes ;-)
DAC - AD-Users with Attribute "Department" IT - Modify

Everything works fine - as long as I do this:
CentralAccessRule1, condition:user.department equal resource.department

-> Users without the department-attribute: no access at all; Users with Attribute department set: modify

Ok, next step, problems arising. I want: Users with an additional attribute "Title" Manager to have FullAccess
DAC - AD-Users with attribute "Department" IT - Modify AND attribute "Title" Manager - Full

CentralAccessRule2, user.department equal resource.department AND user.title equal resource.title

BANG!
Now a user with the atrribute "department" has no longer access, forbidden because of CAR2.
A User with both attributes set has modify, full is forbidden because of CAR1.

What am I missing? It can't be impossible, I'm sure I got something wrong...

Thank you all, any hints are appreciated!

OJ


Viewing all articles
Browse latest Browse all 13565

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>