Who is AzMan

Welcome to the Authorization Manager Team Blog. If you’re not familiar with Authorization Manager (AzMan) it is the Role-Based Access Control model provided originally in Windows Server 2003. It’s since been made available on XP via the XP Admin pack for Server 03 (this is for administration or dev on XP - see ms download center and search on Administration Pack) and on Windows 2000 via a web download (see ms download center and search on AzMan).

 

Authorization Manager’s there to help application developers and admins in the following ways (for those of you who haven’t’ seen thisJ):

 

Common RBAC Administration

An easy to use common role-based administrative experience; administrators learn fewer authorization models and require less training.

Role-based Development Framework

Easy to integrate with native or managed apps, provides broad RBAC management and enforcement functionality.

Flexible Authorization Rules

Ability to define membership through dynamic ldap queries or custom BizRules.

Centralized Administration

Multiple applications can be managed centrally and leverage common application groups.

Flexible Storage Options

Ability to store policy in Active Directory, XML-Files or SQL Server (Vista Beta 2.)

Platform Integration and Alignment

Support for platform features such as Active Directory groups, Windows security auditing, and MMC. Assurance of proper integration of system access control objects such as the NT access token and better alignment for future Windows access control features such as provisioning and entitlement engines.

Reduced Software Development and Maintenance Costs

Developers avoid the expense or trade-offs of custom access control. AzMan does the expensive work of a full-featured authorization solution; including: a complete RBAC model, policy storage (AD, SQL, or XML), an MMC user interface, built-in application group support, rule and query support, integrated system auditing, and performance optimizations such as caching and late-binding.

                                             

Enhanced Security

Platform technologies are rigorously tested, broadly used and continually refined. A common RBAC model leverages administrators existing knowledge resulting in fewer access control mistakes.

 

AzMan has seen good uptake, particularly in LOB apps.

 

For some case studies check out:

Israel Court

House:

https://members.microsoft.com/customerevidence/search/EvidenceDetails.aspx?EvidenceID=13419&LanguageID=1&PFT=Microsoft%20Windows%20Server%202003&TaxID=20106

 

and Lighthouse International:

https://download.microsoft.com/documents/customerevidence/20836_AzMan_Case_Study_Lighthouse_Final.doc

 

 

The plan is to use this blog to get the FAQ info out and give AzMan news as soon as it’s available. Fire away if you got questions. Though checkout the current set of AzMan docs, here’s some dev oriented stuff:

Authorization Manager Whitepaper

Platform SDK Documentation

MSDN: AzMan Overview

MSDN: AzMan BizRules

MSDN: AzMan Dynamic Groups

DEV: Programmable Architecture Guide (PAG): Authorization and Profile Application Block

DEV: Keith Brown MSDN Article (Sample included): Use Role-Based Security in Your Middle Tier .NET Apps with Authorization Manager

Server Watch Tutorial: Exploring Windows 2003 Security: Authorization Manager

 

-Dave McPherson

Comments

  • Anonymous
    May 09, 2006
    Good article, and I hope this is the first of a long sequence...
    I use Azman (for our Enterprise Framework) since 2 years and I 'm very glad to see that there is a develop on this tool.
    A little question...
    I didn't understand the reason why there is no plan to write Azman in native .net managed code. I think that a porting on managed code would enhance the diffusion.

  • Anonymous
    May 10, 2006
    Hi Catho,

    Thanks for the feedback. We are working on plans to provide a genuine managed OM for AzMan. Unfortunately, the timeframe is however post LH server. We are providing some new interfaces (such as a new AcccessCheck) in Vista that helps make the interop more friendly.

    Thanks,
    Dave

  • Anonymous
    May 10, 2006
    Hi Dave,
    thanks for reply, I have another question, there is  plans to provide the new functionality (SQL Storage, new Interfaces for Access Check, improvements on Ldap Query Groups, and so on...) included in Vista on Windows 2003 server ?

  • Anonymous
    May 11, 2006
    The comment has been removed

  • Anonymous
    May 23, 2006
    Hi. I'm having problems with an authorization store role provider that I'm using in my web site. The problem is the updating of the roles cookie. For exmaple, If a query the existing roles in the AzMan store I get the full list in the XML file (OK to the moment), but if I create a rol programatically or add a user to a role or whatever related to writing or modifiyng the file, I don`t get the changes at the moment, not even if I close the page and restart it again!. Actually, if I modifiy the AzMan store through the AzMan console and I run the web site proyect, I get the previous values before the changes. In fact, the only way I've found for the list of roles to be updated is by modifying the web.config file (for example, by inserting a white space anywhere in the file) and run the proyect again.
    This is the configuration I have:

    <roleManager enabled="true"
    cacheRolesInCookie="false"
    defaultProvider="RoleManagerAzManProvider"
    cookieName=".ASPXROLES"
    cookiePath="/"
    cookieTimeout="1"
    cookieRequireSSL="false"
    cookieSlidingExpiration="false"
    createPersistentCookie="false"
    cookieProtection="All">
    <providers >
    <add connectionStringName="LocalPolicyStore" applicationName="Logica" name="RoleManagerAzManProvider" type="System.Web.Security.AuthorizationStoreRoleProvider, System.Web, Version=2.0.0.0, &#xA; &#xA; Culture=neutral, publicKeyToken=b03f5f7f11d50a3a" />
    </providers>
    </roleManager>

    If you could help me I would appreiate it a lot. Thanks for your time

  • Anonymous
    May 23, 2006
    The comment has been removed

  • Anonymous
    May 23, 2006
    About  Hugo.Vallejo's questio,

    As David explained, AzMan loads the full store into the cache. Incase of RoleProvider, IIS will load the full store into the cache and IIS has to call UpdateCache to reload the store into cache. IIS does this depending on the "cacheRefreshInterval" that you can set in your web.config file. But the mininmum value that you can set is 1 (1 min) for this attribute. So there is noway to reflect your changes immediately other than, changing you config file or re-start your IIS etc which will invalidate your cache.

    Thanks,
    Sudheer.

  • Anonymous
    May 24, 2006
    The comment has been removed

  • Anonymous
    May 24, 2006
    For navigation controls see the following -

    ASP.NET Site-Map Security Trimming  
    http://msdn2.microsoft.com/en-us/library/ms178428(VS.80).aspx

    Walkthrough: Filtering Site-Map Nodes Based on Security Roles  
    http://msdn2.microsoft.com/en-US/library/ms178428.aspx


    If you create a role with any approach and/or call AddUserToRole(userName, roleName) through the provider or assign the user to a role via the mmc, you will require time sufficient for the cache to refresh. You may consider changing your AzMan policy store to ADAM or AD which would not load the whole store into memory from the start but after you will still need to consider caching.  The other approach to gain fine grain and full control is to utilize the API directy.  See step 7 in How To: Use Authorization Manager (AzMan) with ASP.NET 2.0 - http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGHT000019.asp

    Regards,
    David Crawford [MSFT]

  • Anonymous
    June 19, 2006
    The comment has been removed

  • Anonymous
    June 20, 2006
    The comment has been removed

  • Anonymous
    June 20, 2006
    Hi Hugo,
      Many thanks for your detailed response.

    But the roles at app level are not created using CreateTask method. We have created some of the operations and role definitions in app level using the UI azman.msc.

    So to begin with, We have set of roles defined at the application level and each role has some list of operations. (This is NOT DONE programmatically due to our project requirements)

    Our application creates new scopes through code programmatically. We have a requirement to 'assign' an existing role defined at the application level to the newly created scope through code.

    Inshort, we never create roles through code but we do create scopes and assign existing roles to the newly created scope.

    Your help is much appreciated.

  • Anonymous
    June 20, 2006
    Hi cbekarthik,

    When you created the role definitions via the UI the UI code actually created tasks with the special IsRoleDefinition property set to true as Hugo describes.

    So to assign one of those role-definitions (specially marked task) in a scope, you need to create a role assignment (IAzScope::CreateRole) in the scope and then create assign that role the role-definition (the specially marked task); for example if the role-definition is called submitter you’d create the role assignment and then add the task like so: SubmitterRole.AddTask("Submitter").

  • Anonymous
    June 20, 2006
    Hi Dave,
      Thanks for your reply.  I was able to achieve the desired result with the help of your suggestion.

  • Anonymous
    June 20, 2006
    Hi cbekarthik.

    It actually does'n matter how you define the roles at the app level. You have defined the roles and add some operations to them. At the scope, as in the code I wrote before, you must use the CreateRole method for the scope object and that's it. In my project I also have some app roles created thorough by the UI and some others programmatically. I define scopes for the app and then assigned them to a scope using CreateRole for the scope.

  • Anonymous
    June 20, 2006
    Hi Hugo,
       Thanks for your response. CreateRole, to create a role assignment is not an issue. It's quite fine.
    But adding a role definition using AddTask() method is the real key.

    I was mislead by certain method names.

    For eg., There is a Role definition in the app level, say "MyRole".
    But if i try using app.openrole("MyRole", null), it throws an exception. You can open this using app.openTask("MyRole", null)

    I believe from Azman perspective, OpenRole and CreateRole are dealing with just role assignments and not role definitions.

    May be as Dave said, in Azman a role definition is a specially marked task but not a role (!!)

  • Anonymous
    June 20, 2006
    Yes, this is very confusing as AzMan UI and API's does not use same names. To avoid this confusion, in the latest version of AzMan coming in Vista, we added new API's to align with AzMan UI terms, like CreteRoleDefinition, CreateRoleAssignment etc.

  • Anonymous
    June 27, 2006
    The authorization model is another new feature in the Commerce Server 2007&amp;nbsp;catalog system which...

  • Anonymous
    August 11, 2006
    The comment has been removed

  • Anonymous
    August 30, 2006
    There are some known differences between some underlying API on Win2K, XP and WS03. One area which has undergone much flux in each of these release is name lookup API. Depending on your environment, things like which versons of the DCs you are using and whether or not the domain is in native mode and WS03 functional level the lookup API have different paths (these are the primary reason for limiting the support of AzMan on XP to administration and development and not deployment.) My recommendation would be to do a test w/ accounts on a WS03 DC and you can hopefully avoid this, you should not have this problem in deployment on WS03 machines (if this is the cause of the problem.)

    If you are using IAzApplication::InitializeClientContextFromSid you may be able to switch to IAzApplication::InitializeClientContextFromToken which is faster and avoids lookup issues which can be very unique to each environment. Check out the latest whitepaper's comments on this. The whitepaper can be found at:
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetserv/html/AzManApps.asp

  • Anonymous
    September 25, 2006
    Hi Dave, I got some questions about AzMan and I didn't find any forum where I can post my questions!

    Can you give some direction? My problem is that we're developing an application with AzMan we got some questions about AzMan on Vista, Authorization Script etc.

    Se ya and thank you!

    Chilá!

  • Anonymous
    October 04, 2006
    Hi Chilá,What's your question? There are a few articles on BizRules/Authorization scripts out there. In Vista they don't change much except that you can create a group with a BizRule script and the mechanism for passing the parameters to BizRule scripts can be done a cleaner if you wish.Thanks,Dave

  • Anonymous
    October 07, 2006
    The authorization model is another new feature in the Commerce Server 2007 catalog system which allows

  • Anonymous
    November 21, 2006
    I am having problems when creating roles and scopes programatically, I  found the post explaining that a role defintion is a task and have now succeded in creating  new scopes with roles that follow the role definitions. The only problem I am experiencing is that operations I created long ago using Authorization manager UI, before I built my own UI has to be redefined in Authorization Manager UI to work properly. Otherwise the Checkaccess returns 0 even though the operation is not assigned to the role. Is anyone else having the same problem? As soon as I remove the "old" operation and create a new one with the same name and operation number the checkaccess returns the correct result. Its not a show stopper but it feels a bit unstable and I am starting to worry about what will happen when I have deployed to the production server.....Anyone have any thoughts and ideas please share them....

  • Anonymous
    December 11, 2006
    Hi Rosjon,I think I get the problem but this statement confuses me, "Otherwise the Checkaccess returns 0 even though the operation is not assigned to the role." By, "Checkaccess returns 0" do you mean that the results array from check access contains no operations (which would be expected if there are none assigned to the role) or do you mean that your getting null or zero for the result array?FWIW, I haven't seen this problem before. I can imagine a scenario where the a custom UI is not calling the submit method after creating the operation so they never actually get created and are not visible in the app or AzMan UI but if you've reboot your custom UI you'd see that they're gone. Alternatively something may appear like this if you inadvertently have two stores and one UI is editing one and one is editing the other.HTH,Dave

  • Anonymous
    January 05, 2007
    HiI am using Authorisation manager for a while (in .NET).Now I wanted to to test my applic on Vista and some functions no longer work.I still can enumerate operations, but the performing the CheckAccess returns errors I never had in XP.e.g....theContext = AppInStore.InitializeClientContextFromName(_UserName) Dim ObjOperations(1) As Object ObjOperations(0) = CType(OperationID, Object)Dim objResult() As ObjectobjResult = CType(theContext.AccessCheck(OperationName, ObjScopes, ObjOperations), Object())I get some errors like :System.ArgumentException: Value does not fall within the expected range.at AZROLESLib.IAzClientContext.AccessCheck(String bstrObjectName, Object varScopeNames, Object varOperations, Object varParameterNames, Object varParameterValues, Object varInterfaceNames, Object varInterfaceFlags, Object varInterfaces)Do I need a new AZroles.DLL and the Interop.AZROLESLib.dll ?If so, where can I find this ?Any other ideas?ThanksDirk

  • Anonymous
    January 09, 2007
    Hi Dirk,No new AzMan AccessCheck error code scenarios should exist on Vista for running code that didn't have it on WS03. My first thought is to make sure the store is ported or recreated accurately. Another long shot may be that variable initialization or some other memory bug could be happening differently corrupting something; this may make AccessCheck through an error where it previously didn't. Again, that's a long shot. You could check the values going into AccessCheck to make sure that at least the params going in the same way.FYI, Check out the IAzClientContext3::AccessCheck2 method on Vista.HTH,Dave

  • Anonymous
    January 09, 2007
    Thank you for the reply.I have it working now (on both XP/Vista), using all paramsobjResult = CType(ContextuserX.AccessCheck(OperationName, ObjScopes, ObjOperations, Nothing, Nothing, Nothing), Object())==> it seems the optional params need to be filled in for the Vista.Thanks for pointing to the new methods in Vista!1 remark: I lost a lot of time searching for the Azman tools update on internet for the Vista PC, until I noticed that the new DLL's are installed by default on the Vista PC's. I think others will have similar problems.

  • Anonymous
    March 07, 2007
    The comment has been removed

  • Anonymous
    March 12, 2007
    Hi milecker,Check out the Using Authorization Manager with Custom Principals section in the whitepaper (http://msdn2.microsoft.com/en-us/library/aa480244.aspx) for the story on custom principals. It's possible in WS03 and get's somewhat better in Vista.

  • Anonymous
    March 22, 2007
    I've a problem when I try programatically to delete and create an application with same name in store.The application "ABC" already exists in Store LDAP and I want to delete these application and create a new application with the same name "ABC".To do this:I open the Store like this:destStore.Initialize(4, destUrl, null);destStore.Submit(0, null);Then, I delete the "ABC" application from store:destStore.DeleteApplication("ABC", null);destStore.Submit(0, null);after this, if I check in Store the "ABC" application is correctly deleted (destStore.Applications.count = 0)Finally, I try to create a new application with the same name "ABC":IAzApplication destApplication = null;destApplication = destStore.CreateApplication("ABC", null);And the this code raise an exception on CreateApplication:"Cannot create a file when that file already exists. (Exception from HRESULT: 0x800700B7)"I don't understand my error because I do a submit after DeleteApplication.Thx

  • Anonymous
    April 16, 2007
    Hi everyone.Last year I created an application (.NET 2.0) that uses AzManager (azroles.dll) to perform access checks. I'm wondering how this application would work on Windows Vista. Am I able to deploy this application and expect that it works fine? I don't have Vista installed yet but I co-worker told me that some test using AzManager in Vista always denied a user access to a operation. Is there any consideration we have to take into account before deploy the application?Thanks a lot

  • Anonymous
    April 16, 2007
    Would you provide more details - what kind of app, store schema version 1.0 or 2.0, what is the topology (local user/domain user/trusted/shadow), where and what is the store, how are you initializing your client context/What AuthN, what other characteristics can you provide?  Without knowing anything about your application, I would recommend that you test your application for any target OS before releasing it.  AzMan specific, make sure that if you are using BizRules that you enable them in Vista.  There are implications with the UAC that you should pay attention to with your applications targeting Vista.Regards,David

  • Anonymous
    April 25, 2007
    Hi David, thanks for you answer and sorry for the delay.Well i jave to say that after installed Vista and tested the .NET aplication everything works fine. However, we have an old Visual Basic 6 application that some small clients still use and it references azrolles.dll. This particular appliocation failed when calling accesscheck method but this won't be problem becuase the application was marked as obsolte and it is in updating process rigth now.Thanks for you comment.Hugo

  • Anonymous
    June 04, 2007
    Regarding the 0x80020006 (DISP_E_UNKNOWNNAME) problem. It has to do with a versioning problem in azroles.dll. If you use version 1.001 (203kb) it doesnt work. I have tried version 5.2.3790.1830 and it works. Try an reinstall using the following instruction: http://msdn2.microsoft.com/en-us/library/ms998336.aspxGood luck

  • Anonymous
    June 25, 2007
    Hi everyone.I'm having problems checking access using azman from windows XP client stations looking to a authorization store saved on a public folder on a windows 2000 server, all stations are part of a domain. However, after working fine for a while some access checks always return access denied to any operation in the authorization store. This is kind of weird because if any client station is removed from the domain ans then added again the access checks work fine again, although not in all the cases. The problem with this arcuitecture is that client station do the actual access check invoking azroles.ll and looking for the public file of the authorization store so we have to ensure that all the stations are using the same version of the azroles library which is 5.2.3790.1830.Another thing is that access checks fail for users already in the domain but if we create another user account and check for the permissions it works fine. Does anyone know something about this behavior?Thanks a lot

  • Anonymous
    July 16, 2007
    Hi Dave,We are using Azman in our web application for profile management. The scenario is like this... First we will define 3 predefined set of scopes say for example superadmin,admin and normaluser through azman.msc console. Initially we are storing in an xml store.From the Webform we need to retrieve the three profiles by using our custom developed azman wrapper class and display all the related tasks and operations for a selected profile(scope). Here the user can able to add new profile based on already existing profile, view, modify and delete the profile.At the time of adding, modifying and deleting a profile we will add, modify or delete a profile in our profile table in sqlserver. Apart from the profile(i.e scope) we are not storing any other details.From user management module in our application we will query the AD to get a list of users and the list of profiles from profile table(Profile table contains the scope name stored in our xml azman store). Here we will associate a user with a profile.These info will be stored in user table.Whenever the user logs in to our system first we will authenticate based on his username  and password. During Authorization we will check whether he is authorized to access the page based on the scope associated with the user.My problem is i am not able to get the list of tasks and operations associated with a scope using azman api.Put it into another way the client needs a webbased azman console.Your help is very much appreciated.Thanks ,RegardsPrabhu

  • Anonymous
    July 16, 2007
    Hi,I am having some more doubts.I had created the following operations opAdd,opDelete,opModify.Created two tasks namely LocationType and LocationChannel.[ Associated opAdd and opDelete to LocationType task. ][ Associated all the three operations to LocationChannel task]Created a role definition named "SuperAdmin".<b>Added the above two tasks to this role.</b>Create a scope named "SA"Assigned the "SuperAdmin" role created at the application level to this scope.Questions:How can i retrieve the list of task names associated with the above role using azman api in c#?How can i retrieve the list of task names associated with the above scope using azman api in c#? Thanks,RegardsPrabhu

  • Anonymous
    October 17, 2007
    Hi,  I have a question. How to assign task to a role? I'm using this codeIAzRole AzRole = AzManApp.OpenRole(strRole, null);AzRole.AddTask(strTaskName, null);AzRole.Submit(0, null);but I cannot find the assigned task in role property in role definition folderinstead it can be found in role property on role assignment folder.My question is there a way i could use to add task in role that can be displayin role property in role definition folder?anyone could help?

  • Anonymous
    November 09, 2007
    I am using AzMan as the role security for a Web Service.  We have been having issues with our web service randomly crashing out.  After a great deal of debugging I finnally tracked it down to the AzAuthorizationStoreClass.Initialize call in my program as it caused a Stack Overflow error.What our code does is create a AzMan manager class for each user, this class contains a AzAuthorizationStoreClass for the current Store, IAzApplication for the current application, and IAzClientContext the clients context to the Application.  It appears that we do not have any issues when we are running under one thread.  But our testplans utilize multiple threads to simulate multiple users.  After adding some unrelated code (which was heavily debugged) we have noticed significant amount of failures on our threading tests.Is the AzAuthorizationStoreClass.Initialize call thread safe?  Or is there any way that a stack overflow can be generated from it that you know of?Here is the code we use for initializing the store:       private void InitializeC2SAzManManager(Guid storeID, string connection, DataSet applicationList, WindowsIdentity winUser)       {           try           {               // Set the StoreID               m_StoreID = storeID;               // Set the user               WinUser = winUser;               try               {                   // Open Store                   m_AzStore.Initialize(0, connection, null);               }               catch (Exception exception)               {                   throw new Exception(String.Format("Failed to open AzStore for {0}.",                       WinIdentity.Name), exception);               }