You can secure access by using Dynamic Access Control and by creating central access policies in Active Directory and applying them to files and folders on Storage Virtual Machines (SVMs) through applied Group Policy Objects (GPOs). You can configure auditing to use central access policy staging events to see the effects of changes to central access policies before you apply them.
Before Dynamic Access Control, a CIFS credential included a security principal's (the user's) identity and Windows group membership. With Dynamic Access Control, three more types of information are added to the credential—device identity, device claims, and user claims:
The analog of the user's identity information, except it is the identity and group membership of the device that the user is logging in from.
Assertions about a device security principal. For example, a device claim might be that it is a member of a specific OU.
Assertions about a user security principal. For example, a user claim might be that their AD account is a member of a specific OU.
Dynamic Access Control support includes the addition of three new ACE types defined by Microsoft for security descriptors:
Conditional ACEs can be included in the DACL or the SACL.
Attributes are defined in AD, and are represented as name/value pairs in the ACE. For example, a file can be tagged as being owned by the marketing department using this mechanism. These ACEs are only present in the SACL.
Policy ACEs contain a SID that can be used to look up an access policy that is then used for additional access checks. These ACEs are only present in the SACL. This enables an administrator to change access to a resource with a simple change in Active Directory.
Central access policies for files enable organizations to centrally deploy and manage authorization policies that include conditional expressions using user groups, user claims, device claims, and resource properties.
For example, for accessing high business impact data, a user needs to be a full time employee and only have access to the data from a managed device. Central access policies are defined in Active Directory and distributed to file servers via the GPO mechanism.
Central access policies can be "staged", in which case they are evaluated in a "what-if" manner during file access checks. The results of what would have happened if the policy was in effect and how that differs from what is currently configured are logged as an audit event. In this way, administrators can use audit event logs to study the impact of an access policy change before actually putting the policy in play. After evaluating the impact of an access policy change, the policy can be deployed via GPOs to the desired SVMs.