Authorization Manager and role-based administration overview
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Network administrators, Information Technology specialists, and others responsible for computer-related infrastructure, are most effective when they help people do their jobs. The role-based management model enables you to assign users to roles. The settings that authorize users for specific roles are made automatically, by means of scripts. The scripts, called authorization rules, enable you to apply fine-grained control over the mapping between access control and the structure of your organization.
Role-based administration is often used to facilitate authorization and computer configuration. Authorization and computer configuration are two categories of roles that you can manage by using role-based administration.
Authorization roles are based on a user's job function. You can use authorization roles to authorize access, to delegate administrative privileges, or to manage interaction with computer-based resources. For example, you might define a Treasurer role that includes the right to authorize expenditures and audit account transactions. Authorization Manager enables administrators to implement this type of role-based administration through applications. For more information about applications, see Authorization stores and applications.
Computer configuration roles are based on a computer's function. You can use computer configuration roles to select features that you want to install, to enable services, and to select options. For example, server roles might be defined for Web servers, domain controllers, file servers, and custom server configurations that are appropriate to your organization.
With Authorization Manager, you can use the following two modes:
Developer mode. In developer mode, you can create, deploy, and maintain applications. You have unrestricted access to all of the Authorization Manager features.
Administrator mode. This is the default mode. In administrator mode, you can deploy and maintain applications. You have access to all Authorization Manager features, but you cannot create new applications or define operations.
Applications that support roles usually create an authorization store, or use an existing authorization store, with pre-defined operations and tasks. In that case developer mode need not be used.
When you use developer mode, it is recommended that you run Authorization Manager in developer mode only until the authorization store, application, and other necessary objects are created and configured. After you initially set up Authorization Manager, run Authorization Manager in administrator mode. For more information about using developer or administrator mode, see Set Authorization Manager options.
Authorization Manager is capable of implementing multiple configuration and permission changes at once. There are other management tools available with the Microsoft® Windows Server 2003 family of operating systems that are comparable to Authorization Manager.
ACL Editor. The access control list (ACL) editor for access control on Active Directory directory service and Windows objects sets access control policy. Authorization Manager differs from the ACL editor by facilitating the use of role-based access control in applications that support roles. Sometimes you might not know precisely which permissions you need to set for authority to be delegated. Authorization Manager takes the guess work out of this process. For more information about access control, see Access Control.
Delegation of Control Wizard. The Delegation of Control Wizard also sets multiple permissions automatically. Authorization Manager provides more scope and configuration options for role-supporting applications. For more information about delegation, see Delegating administration.
For more information about Authorization Manager, see Using Authorization Manager.