Delegating the Defining of Permissions in C++
Authorization policy stores that are stored in Active Directory support delegation of administration. Administration can be delegated to users and groups at the store, application, or scope level.
At each level, there is a list of administrators and readers. Administrators of a store, application, or scope can read and modify the policy store at the delegated level. Readers can read the policy store at the delegated level but cannot modify the store.
A user or group that is either an administrator or a reader of an application must also be added as a delegated user of the policy store that contains that application. Similarly, a user or group that is an administrator or a reader of a scope must be added as a delegated user of the application that contains that scope.
For example, to delegate administration of a scope, first add the user or group to the list of delegated users of the store that contains the scope by calling the IAzAuthorizationStore::AddDelegatedPolicyUser method. Then add the user or group to the list of delegated users of the application that contains the scope by calling the IAzApplication::AddDelegatedPolicyUser method. Finally, add the user or group to the list of administrators of the scope by calling the IAzScope::AddPolicyAdministrator method.
XML-based policy stores do not support delegation at any level.
A scope within an authorization store that is stored in Active Directory cannot be delegated if the scope contains task definitions that include authorization rules or role definitions that include authorization rules.
The following example shows how to delegate administration of an application. The example assumes that there is an existing Active Directory authorization policy store at the specified location, that this policy store contains an application named Expense, and that this application contains no tasks with business rule scripts.
#ifndef _WIN32_WINNT
#define _WIN32_WINNT 0x0502
#endif
#include <windows.h>
#include <stdio.h>
#include <azroles.h>
#include <objbase.h>
void main(void)
{
IAzAuthorizationStore* pStore = NULL;
IAzApplication* pApp = NULL;
HRESULT hr;
void MyHandleError(char *s);
BSTR storeName = NULL;
BSTR appName = NULL;
BSTR userName = NULL;
VARIANT myVar;
// Initialize COM.
hr = CoInitializeEx(NULL, COINIT_MULTITHREADED);
if (!(SUCCEEDED(hr)))
MyHandleError("Could not initialize COM.");
// Create the AzAuthorizationStore object.
hr = CoCreateInstance(
/*"b2bcff59-a757-4b0b-a1bc-ea69981da69e"*/
__uuidof(AzAuthorizationStore),
NULL,
CLSCTX_ALL,
/*"edbd9ca9-9b82-4f6a-9e8b-98301e450f14"*/
__uuidof(IAzAuthorizationStore),
(void**)&pStore);
if (!(SUCCEEDED(hr)))
MyHandleError("Could not create AzAuthorizationStore object.");
// Create null VARIANT for parameters.
myVar.vt = VT_NULL;
// Allocate a string for the distinguished name of the
// Active Directory store.
if(!(storeName = SysAllocString
(L"msldap://CN=MyAzStore,CN=Program Data,DC=authmanager,DC=com")))
MyHandleError("Could not allocate string.");
// Initialize the store.
hr = pStore->Initialize
(AZ_AZSTORE_FLAG_MANAGE_STORE_ONLY, storeName, myVar);
if (!(SUCCEEDED(hr)))
MyHandleError("Could not initialize store.");
// Create an application object.
if (!(appName = SysAllocString(L"Expense")))
MyHandleError("Could not allocate application name string.");
hr = pStore->OpenApplication(appName, myVar, &pApp);
if (!(SUCCEEDED(hr)))
MyHandleError("Could not open application.");
// Add a delegated policy user to the store.
if (!(userName = SysAllocString(L"ExampleDomain\\UserName")))
MyHandleError("Could not allocate username string.");
hr = pStore->AddDelegatedPolicyUserName(userName, myVar);
if (!(SUCCEEDED(hr)))
MyHandleError
("Could not add user to store as delegated policy user.");
// Add the user as an administrator of the application.
hr = pApp->AddPolicyAdministratorName(userName, myVar);
if (!(SUCCEEDED(hr)))
MyHandleError
("Could not add user to application as administrator.");
// Clean up resources.
pStore->Release();
pApp->Release();
SysFreeString(storeName);
SysFreeString(appName);
SysFreeString(userName);
CoUninitialize();
}
void MyHandleError(char *s)
{
printf("An error occurred in running the program.\n");
printf("%s\n",s);
printf("Error number %x\n.",GetLastError());
printf("Program terminating.\n");
exit(1);
}