Export (0) Print
Expand All
1 out of 2 rated this helpful - Rate this topic

Authorization stores and applications

Updated: January 21, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Authorization stores and applications

With Authorization Manager, you can provide authorization services to administrators that you support by creating Authorization Manager applications that access authorization stores.

In Authorization Manager, there is no default authorization store and there is no default application. To create an authorization store, you must work in the Authorization Manager developer mode. For more information about working in developer mode, see Set Authorization Manager options.

You can store authorization stores in either XML files or Active Directory. The following table compares the two types.

 

Authorization store type Delegation support Authorization store is specified by Windows support

Active Directory

Supported at the authorization store, application, and scope levels

A URL, beginning with the protocol prefix MSLDAP:// or an LDAP distinguished name (for example, CN=myStore,CN=Program Data,DN=nwtraders,DN=com)

Windows Server 2003 domain functional level Active Directory domain only

Important

  • In Windows 2000, Active Directory does not support authorization stores.

XML

Not supported

The XML file is secured as a whole by its NTFS file system access control entries (ACEs).

A URL beginning with the protocol prefix MSXML:// or a Path (for example, C:\Temp\MyStore.xml or \\ServerName\ShareName\MyStore.xml)

Any NTFS partition

An application is specific to an authorization store, and it is always located directly under its parent authorization store in Authorization Manager. For more information about creating an application, see Create an application. Scopes, roles, tasks, and operations are always specific to an application. For more information, see Scopes in Authorization Manager and Roles, tasks, and operations.

Using application groups

An application group is a group of users of an Authorization Manager application. You can create application groups at any of the three levels in the Authorization Manager console. The following table lists the different Authorization Manager levels where you can create application groups.

 

Level Application group can be used in

Authorization store

The authorization store, and applications and scopes underneath it

Application

The application, and scopes underneath it

Scope

The scope

For more information about application groups, see Groups in Authorization Manager.

Delegating authorization stores and applications

Authorization stores that are stored in Active Directory, and the applications that they contain, support delegation. For more information about performing delegation, see Delegate an authorization store and Delegate an application.

Note

  • XML-based authorization stores, applications, and scopes do not support delegation.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.