2.7.4.1 Convert a SID to/from a Human-Readable Format - Client Application

Note This use case is applicable only to AD DS; it is not applicable to AD LDS.

This use case describes the translation between the machine-readable and human-readable forms of names.

When an administrator wants to investigate and maintain the security of a directory object, translation between the machine-readable and human-readable forms of names might be required. This translation allows the administrator, via a client application, to secure access to a directory object without the requirement to understand machine-readable names. The client application displays the human-readable names of the security principals in the access control entries (ACEs) that secure the object, which have been translated from SIDs. The administrator specifies human-readable names of security principals when securing the object, which are translated to SIDs.

Goal

Translate an object's SID to or from another format or type of name.

Context of Use

An IT administrator uses a client application to secure access to a directory object. The application displays the human-readable names of the security principals in the ACEs that secure the object. The administrator specifies human-readable names of security principals when securing the object.

Use case diagram for converting a SID to or from a human-readable format

Figure 30: Use case diagram for converting a SID to or from a human-readable format

Actors

  • Client application

    The client application is the primary actor. It is the entity that prepares the connection to the directory server, submits the request for name translation, and returns the result to the administrator.

  • Windows Authentication Services

    Windows Authentication Services [MS-AUTHSOD] is the supporting actor that authenticates the administrator's identity so that the Active Directory system can make access-control decisions.

  • Directory server

    The directory server is the supporting actor that receives the translation request and performs the actual translation.

Stakeholders

  • Administrator

    The administrator performs security actions that trigger the requirement for a name translation. The administrator primarily wants to read and provide human-readable names and does not want to understand machine-readable names.

  • Directory

    The directory is the entity that contains the objects being considered by the administrator.

Preconditions

  • The system-wide preconditions, as described in section 2.6, are satisfied. The Active Directory system completes initialization, as described in section 2.6.

  • The application has network connectivity to a directory server that meets the requirements described in section 2.5 to which it can establish a connection, if it is not already connected, and send the request.

Main Success Scenario

  1. Trigger: Following an administrator action, the client application has to display human-readable names. These names correspond to the SIDs in the access control lists (ACLs) that secure the object with which the administrator is interacting. Alternatively, the administrator provides a human-readable name to the client application, along with credentials, in order to set an ACL on an object. To perform the requested action, the client application has to retrieve the SID of the object that corresponds to that name.

  2. The client application establishes a connection to the directory server. Windows Authentication Services authenticates the client application using the supplied credentials ([MS-AUTHSOD] section 2).

  3. The client application sends a request to the directory server to perform name translation between the SID and the human-readable name of directory objects of interest to the administrator.

  4. The directory server identifies the directory objects for which name translation has to be performed.

  5. From the set of directory objects so identified, the directory server obtains their names in the requested name format.

  6. The directory server sends a response to the client that contains the names in the requested format.

Postcondition

The translated information is available to the client application.

Extensions

  • The SID or the name that is supplied through the client application is misformatted, as described in [MS-DTYP] section 2.4.2.3 and [MS-LSAT] section 3.1.4.5, respectively:

    1-4. Same as Main Success Scenario.

    5. The directory server sends a response to the client application indicating that an invalid parameter was used in the request, as described in [MS-LSAT] sections 3.1.4.5 and 3.1.4.9.

  • No object exists in the directory with the SID or the name provided:

    1-4. Same as Main Success Scenario.

    5. The directory server sends a response to the client application indicating that no object exists with the SID or the name provided.

  • Not all SIDs in the request could be translated to names:

    1-4. Same as Main Success Scenario.

    5. The Directory Server sends a response to the client application indicating that only some of the SIDs were translated to names.

  • Not all names in the request could be translated to SIDs:

    1-4. Same as Main Success Scenario.

    5. The directory server sends a response to the client application indicating that only some of the names were translated to SIDs.

  • The client does not have necessary permissions to read the object whose SID or name was supplied:

    1-3. Same as Main Success Scenario.

    4. The directory server sends a response to the client application indicating that it has insufficient access-control rights to perform the name translation.