Simplifying Role and Permission Management with Authorization Manager (AzMan)
Also explained in my youtube video :
Introduction
Authorization Manager (AzMan) is a powerful access control framework that simplifies managing roles and permissions within your application. Whether you’re building a web application or a smart client, AzMan provides a flexible way to define operations and group them into tasks. These operations represent actions that users can perform.
Key Features
- Role-Based Framework: AzMan allows you to manage roles by granting permissions for various operations. Users are assigned roles, and permissions are then associated with those roles.
- Microsoft Management Console (MMC): AzMan provides a user-friendly management console for defining operations, roles, and permissions. You can configure the policy store either in Active Directory or as an XML file.
- Integration with Active Directory: AzMan seamlessly integrates with Active Directory, allowing you to directly configure AD groups for specific permissions.
Getting Started with AzMan
1. Installation
- AzMan is available by default in the most recent version of Windows servers
2. Creating an AzMan Policy Store
- You can create the policy store in either Active Directory or as an XML file.
- In the MMC, ensure you’re in “Developer Mode” to create a new policy.
- Create a new authorization store with the “XML” type and define your policies.
3. Managing Applications
- Create a new application (e.g., “SampleApplication”).
- Maintain groups, users, roles, and permissions specific to your application.
- Apply policies to multiple applications, each with its own mappings of roles, users, and permissions.
4. Defining Tasks and Operations
- Under the policy, select your application (e.g., “SampleApplication”).
- Expand “Definitions” and choose “Operation Definitions.”
- Create new operation definitions to represent tasks that users can perform.
5. Groups
Groups : We can create different type of groups. We can create a Basic Application Group which is much like a local group. We can add users/groups from Active Directory or another group from Authorization Manager. We can even exclude users/group as well. Say you have a group of 200 users in AD where you want to add all the users but one user. We could add the group then go in and exclude the one user.
An LDAP Query Application Group could be created that determine who is a member by running a LDAP query. If the user matches the query then the user is deemed to be a member of the group. You could use a simple LDAP query or you could make it more complex to fit your needs.
Business Rule Application Group is the third type of group that can be created. In this type of group you will need to have a script that defines the members of this type of group. The script will need to be constructed either in VB or Java.
Role Definitions : A role definition is defined as a set of permissions that a user must have to perform a job or task. A role can have lower level tasks, roles and operations associated with it.
Task Definitions: A task definition is smaller than a role definition and can be use to define other roles and tasks.
Operation Definitions: This can only be seen in Developer mode. Operation definitions are small computer level actions that are used to define tasks and usually are not relevant to an administrator.
For more details do refer article : AzMan MMC with a sample application – Microsoft Community Hub