Effective Permissions Report with DAC - JiJi AuditReporter

 Active Directory, Exchange On premises
Jan 10 2013

Effective Permissions Report with DAC - JiJi AuditReporter

Dynamic access control (DAC) facility, introduced in windows server 8 is a nice provision for security management. Previous versions of windows enforced file/folder security by granting access to the users and groups directly. Many security groups have been created and managed to offer access. With DAC, administrators could add conditional expressions with AD attributes to grant the permissions. This has considerably reduced group management complexities. Dynamic Access Control can be applied in addition to any existing share and NTFS permissions, which enforces centrally governed rules. Dynamic Access Control is one of the key components of Active Directory in Windows Server 8.

Claims / Resources

Earlier, claims based authorization has been used in Active Directory Federation Services (ADFS) and Windows Identity Foundation (WIF). In similar fashion, claim based authorization is applied in DAC with AD attribute values as a claim. These claims can be used in Central Access Policy to define the condition for access. You can set claims for both users and devices. For example "user.department == Finance" and "device.managed == true". The other exclusive feature which server 8 attracts everyone is classifying the file/folders by tagging the resource properties. Hence, also with the resources' properties the access is controlled. So, now you could write a condition like "resource.country == US" and "user.department == Finance".

JiJi AuditReporter - Effective Permissions Report

JiJi AuditReporter is an auditing tool which supports windows server 8, generates effective permissions report for a set of users on share(s). Effective access permissions are calculated by accounting the existing share/ NTFS permissions, Dynamic access control (DAC) and Central access policy (CAP). Hence this report displays the resultant access permissions for the users on shares.

Some of the nice features of Effective Permissions Report are:

  • Effective permission for set of users on set of shares are calculated in one go.
  • User's claims are automatically retrieved from Active Directory attributes for effective permission calculation.
  • The generated report can be switched between Advanced Permission View and Basic Permission View.
  • The generated report can be filtered as in Microsoft Excel.
  • The generated report can be exported to PDF/HTML/Excel.

The below screen shot shows how the administrators can provide multiple users and multiple shares to generate the E ffective Permissions Report. Here the administrator has the folder option to generate the Effective Permission Report for top level folder or for given 'n' level. Even the administrator has option to exclude files in the folders.

Effective Permission Report

The below screen shot shows the part of the Effective Permission Report generated.

Effective Permission Report

The administrator can group the generated report by any of the columns as shown below (Grouped by share path and user name).

Effective Permission Report

This grouped report is same as in the Windows Server 8 Effective Permission Security Properties Tab.
The above generated report is shown with Advanced Permissions set. Administrator can even switch to Basic Permission set also as shown below.

Effective Permission Report

In the generated report, we can filter the report based on multiple columns as in Microsoft Excel.

Effective Permission Report