Previous Topic: Map CCS Classifications to Values of an FSRM Classification PropertyNext Topic: Encrypt Files Based on CCS Classifications

Content Classification Service Integration GuideCCS FCI Plug-inHow to Configure the FCI Plug-inAdd Conditions to Limit File Access Based on CCS Classifications

Add Conditions to Limit File Access Based on CCS Classifications

(Available only in Windows Server 2012)

You can limit access to files based on their CCS classifications. For example, you can choose to grant Write permission to a specific user or group of users only if a file does not contain highly sensitive personal information. You set up conditional access by editing a file's security settings in Windows Explorer.

The following instructions summarize the procedure for setting up conditional file access in Windows Server 2012. For full details, see your Windows documentation.

To limit file access based on CCS classifications for individual users or groups

  1. Right-click a file in Windows Explorer and click Properties.

    The Properties dialog appears.

  2. Go to the Security tab and click the Advanced button.

    The Advanced Security Settings for <MyFile> dialog appears. The Permissions tab shows the existing permissions for each user or group.

  3. Click the Add button.
  4. The Permission Entry for <MyFile> dialog appears.
  5. Select a principal. That is, specify the user or group.
  6. Set the permission type to 'Allow'.

    Note: You cannot define conditional file access based on a 'Deny' permission type.

  7. Specify the file permissions that you want to allow, such as Modify, Read, or Write.
  8. Click 'Add a condition' to define the conditions under which the user or group is allowed access to the file.
  9. Define the access condition by selecting values from a set of drop-down fields. Windows concatenates these values to construct a Boolean expression.

    For example, you may want to grant Write permission only if the file does not contain highly sensitive personal information. You can define this access condition by selecting the following sequence of values from the drop-down fields:

  10. Click OK to save the permission entry and return to the Advanced Security Settings for <MyFile> dialog.

To limit file access based on classifications across a domain

You can also define file access conditions that are based on Active Directory users and groups. Briefly, in the Active Directory Administrative Center, you can set up dynamic access control for your domain servers. As above, you define access conditions by selecting a sequence of values from drop-down fields. See your Active Directory documentation for details.