Authorization stores and applications

Article
10/08/2009

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Authorization stores and applications

With Authorization Manager, you can provide authorization services to administrators that you support by creating Authorization Manager applications that access authorization stores.

In Authorization Manager, there is no default authorization store and there is no default application. To create an authorization store, you must work in the Authorization Manager developer mode. For more information about working in developer mode, see Set Authorization Manager options.

You can store authorization stores in either XML files or Active Directory. The following table compares the two types.

Authorization store type	Delegation support	Authorization store is specified by	Windows support
Active Directory	Supported at the authorization store, application, and scope levels	A URL, beginning with the protocol prefix MSLDAP:// or an LDAP distinguished name (for example, CN=myStore,CN=Program Data,DN=nwtraders,DN=com)	Windows Server 2003 domain functional level Active Directory domain only Important In Windows 2000, Active Directory does not support authorization stores.
XML	Not supported The XML file is secured as a whole by its NTFS file system access control entries (ACEs).	A URL beginning with the protocol prefix MSXML:// or a Path (for example, C:\Temp\MyStore.xml or \\ServerName\ShareName\MyStore.xml)	Any NTFS partition

Active Directory

Supported at the authorization store, application, and scope levels

A URL, beginning with the protocol prefix MSLDAP:// or an LDAP distinguished name (for example, CN=myStore,CN=Program Data,DN=nwtraders,DN=com)

Windows Server 2003 domain functional level Active Directory domain only

Important

In Windows 2000, Active Directory does not support authorization stores.

XML

Not supported

The XML file is secured as a whole by its NTFS file system access control entries (ACEs).

A URL beginning with the protocol prefix MSXML:// or a Path (for example, C:\Temp\MyStore.xml or \\ServerName\ShareName\MyStore.xml)

Any NTFS partition

An application is specific to an authorization store, and it is always located directly under its parent authorization store in Authorization Manager. For more information about creating an application, see Create an application. Scopes, roles, tasks, and operations are always specific to an application. For more information, see Scopes in Authorization Manager and Roles, tasks, and operations.

Using application groups

An application group is a group of users of an Authorization Manager application. You can create application groups at any of the three levels in the Authorization Manager console. The following table lists the different Authorization Manager levels where you can create application groups.

Level	Application group can be used in
Authorization store	The authorization store, and applications and scopes underneath it
Application	The application, and scopes underneath it
Scope	The scope

For more information about application groups, see Groups in Authorization Manager.

Delegating authorization stores and applications

Authorization stores that are stored in Active Directory, and the applications that they contain, support delegation. For more information about performing delegation, see Delegate an authorization store and Delegate an application.

Note

XML-based authorization stores, applications, and scopes do not support delegation.

Authorization stores and applications