Creating an Authorization Policy Store Object in C++
An authorization policy store contains information about the security policy of an application or group of applications. The information includes the applications, operations, tasks, users, and groups of users associated with the store. When an application that uses Authorization Manager initializes, it loads this information from the store. The authorization policy store must be located on a trusted system because administrators on that system have a high degree of access to the store.
Authorization Manager supports storing authorization policy either in the Active Directory directory service or in an XML file as shown in the following examples. In the Authorization Manager API, an authorization policy store is represented by an AzAuthorizationStore object. The examples show how to create an AzAuthorizationStore object for an Active Directory store and an XML store.
Creating an Active Directory Store
To use Active Directory to store the authorization policy, the domain must be in the Windows Server 2003 domain functional level. The authorization policy store cannot be located in a Non-Domain Naming Context (also called an application partition). It is recommended that the store be located in the Program Data container under a new organizational unit created specifically for the authorization policy store. It is also recommended that the store be located within the same local area network as application servers that run applications that use the store.
The following example shows how to create an AzAuthorizationStore object that represents an authorization policy store in Active Directory. The example assumes that there is an existing Active Directory organizational unit named Program Data in a domain named authmanager.com.
#pragma comment(lib, "duser.lib")
#ifndef _WIN32_WINNT
#define _WIN32_WINNT 0x0502
#endif
#include <windows.h>
#include <stdio.h>
#include <azroles.h>
#include <objbase.h>
void main(void){
IAzAuthorizationStore* pStore = NULL;
HRESULT hr;
void MyHandleError(char *s);
BSTR storeName = NULL;
// Initialize COM.
hr = CoInitializeEx(NULL, COINIT_MULTITHREADED);
if (!(SUCCEEDED(hr)))
MyHandleError("Could not initialize COM.");
// Create the AzAuthorizationStore object.
hr = CoCreateInstance(
/*"b2bcff59-a757-4b0b-a1bc-ea69981da69e"*/
__uuidof(AzAuthorizationStore),
NULL,
CLSCTX_ALL,
/*"edbd9ca9-9b82-4f6a-9e8b-98301e450f14"*/
__uuidof(IAzAuthorizationStore),
(void**)&pStore);
if (!(SUCCEEDED(hr)))
MyHandleError("Could not create AzAuthorizationStore object.");
// Create a null VARIANT for function parameters.
VARIANT myVar;
VariantInit(&myVar);
// Allocate a string for the distinguished name of the
// Active Directory store.
if(!(storeName = SysAllocString
(L"msldap://CN=MyAzStore,CN=Program Data,DC=authmanager,DC=com")))
MyHandleError("Could not allocate string.");
// Initialize the store in Active Directory. Use the
// AZ_AZSTORE_FLAG_CREATE flag.
hr = pStore->Initialize(AZ_AZSTORE_FLAG_CREATE, storeName, myVar);
if (!(SUCCEEDED(hr)))
MyHandleError("Could not initialize store.");
// Call the submit method to save changes to the new store.
hr = pStore->Submit(0, myVar);
if (!(SUCCEEDED(hr)))
MyHandleError("Could not save data to the store.");
// Clean up resources.
pStore->Release();
VariantClear(&myVar);
SysFreeString(storeName);
CoUninitialize();
}
void MyHandleError(char *s)
{
printf("An error occurred in running the program.\n");
printf("%s\n",s);
printf("Error number %x\n.",GetLastError());
printf("Program terminating.\n");
exit(1);
}
Creating a SQL Server Store
Authorization Manager supports creating a Microsoft SQL Server–based authorization policy store. To create a SQL Server–based authorization store, use a URL that begins with the prefix MSSQL://. The URL must contain a valid SQL connection string, a database name, and the name of the authorization policy store: **MSSQL://ConnectionString/DatabaseName/**PolicyStoreName.
If the instance of SQL Server does not contain the specified Authorization Manager database, Authorization Manager creates a new database with that name.
Note
Connections to a SQL Server store are not encrypted unless you explicitly set up SQL encryption for the connection or set up encryption of the network traffic that uses Internet Protocol Security (IPsec).
The following example shows how to create an AzAuthorizationStore object that represents an authorization policy store in a SQL Server database.
#pragma comment(lib, "duser.lib")
#ifndef _WIN32_WINNT
#define _WIN32_WINNT 0x0502
#endif
#include <windows.h>
#include <stdio.h>
#include <azroles.h>
#include <objbase.h>
void main(void){
IAzAuthorizationStore* pStore = NULL;
HRESULT hr;
void MyHandleError(char *s);
BSTR storeName = NULL;
// Initialize COM.
hr = CoInitializeEx(NULL, COINIT_MULTITHREADED);
if (!(SUCCEEDED(hr)))
MyHandleError("Could not initialize COM.");
// Create the AzAuthorizationStore object.
hr = CoCreateInstance(
/*"b2bcff59-a757-4b0b-a1bc-ea69981da69e"*/
__uuidof(AzAuthorizationStore),
NULL,
CLSCTX_ALL,
/*"edbd9ca9-9b82-4f6a-9e8b-98301e450f14"*/
__uuidof(IAzAuthorizationStore),
(void**)&pStore);
if (!(SUCCEEDED(hr)))
MyHandleError("Could not create AzAuthorizationStore object.");
VARIANT myVar;
myVar.vt = VT_NULL;
// Allocate a string for the SQL Server store.
if(!(storeName = SysAllocString
(L"MSSQL://Driver={SQL Server};Server={AzServer};/AzDB/MyStore")))
MyHandleError("Could not allocate string.");
// Initialize the store. Use the
// AZ_AZSTORE_FLAG_CREATE flag.
hr = pStore->Initialize(AZ_AZSTORE_FLAG_CREATE, storeName, myVar);
if (!(SUCCEEDED(hr)))
MyHandleError("Could not initialize store.");
// Call the submit method to save changes to the new store.
hr = pStore->Submit(0, myVar);
if (!(SUCCEEDED(hr)))
MyHandleError("Could not save data to the store.");
// Clean up resources.
pStore->Release();
SysFreeString(storeName);
CoUninitialize();
}
void MyHandleError(char *s)
{
printf("An error occurred in running the program.\n");
printf("%s\n",s);
printf("Error number %x\n.",GetLastError());
printf("Program terminating.\n");
exit(1);
}
Creating an XML Store
Authorization Manager supports creating an authorization policy store in XML format. The XML store can be located on the same computer where the application runs, or it can be stored remotely. Editing the XML file directly is not supported. Use the Authorization Manager MMC snap-in or the Authorization Manager API to edit the policy store.
Authorization Manager does not support delegating administration of an XML policy store. For information about delegation, see Delegating the Defining of Permissions in C++.
The following example shows how to create an AzAuthorizationStore object that represents an authorization policy store in an XML file.
#pragma comment(lib, "duser.lib")
#ifndef _WIN32_WINNT
#define _WIN32_WINNT 0x0502
#endif
#include <windows.h>
#include <stdio.h>
#include <azroles.h>
#include <objbase.h>
void main(void){
IAzAuthorizationStore* pStore = NULL;
HRESULT hr;
void MyHandleError(char *s);
BSTR storeName = NULL;
// Initialize COM.
hr = CoInitializeEx(NULL, COINIT_MULTITHREADED);
if (!(SUCCEEDED(hr)))
MyHandleError("Could not initialize COM.");
// Create the AzAuthorizationStore object.
hr = CoCreateInstance(
/*"b2bcff59-a757-4b0b-a1bc-ea69981da69e"*/
__uuidof(AzAuthorizationStore),
NULL,
CLSCTX_ALL,
/*"edbd9ca9-9b82-4f6a-9e8b-98301e450f14"*/
__uuidof(IAzAuthorizationStore),
(void**)&pStore);
if (!(SUCCEEDED(hr)))
MyHandleError("Could not create AzAuthorizationStore object.");
VARIANT myVar;
myVar.vt = VT_NULL;
// Allocate a string for the distinguished name of the XML store.
if(!(storeName = SysAllocString(L"msxml://C:\\MyStore.xml")))
MyHandleError("Could not allocate string.");
// Initialize the store in an XML file. Use the
// AZ_AZSTORE_FLAG_CREATE flag.
hr = pStore->Initialize(AZ_AZSTORE_FLAG_CREATE, storeName, myVar);
if (!(SUCCEEDED(hr)))
MyHandleError("Could not initialize store.");
// Call the submit method to save changes to the new store.
hr = pStore->Submit(0, myVar);
if (!(SUCCEEDED(hr)))
MyHandleError("Could not save data to the store.");
// Clean up resources.
pStore->Release();
SysFreeString(storeName);
CoUninitialize();
}
void MyHandleError(char *s)
{
printf("An error occurred in running the program.\n");
printf("%s\n",s);
printf("Error number %x\n.",GetLastError());
printf("Program terminating.\n");
exit(1);
}