Roles, tasks, and operations
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Roles, tasks, and operations
A role is a set of permissions that a user must have to do a job. Well-designed roles should correspond to a job category or responsibility (for example, receptionist, hiring manager, or archivist) and be named accordingly. With Authorization Manager, you can adds users to a role to authorize them for the job.
A task is a collection of operations, and sometimes other tasks. Well-designed tasks are inclusive enough to represent work items that are recognizable (for example, "change password" or "submit expense").
An operation is a set of permissions that you associate with system-level or API-level security procedures like WriteAttributes or ReadAttributes. You use operations as building blocks for tasks.
You can define roles, tasks, and operations only in developer mode, not administrator mode. To set developer mode, see Set Authorization Manager options.
The role definitions that are appropriate depends on the structure and goals of your organization. Roles support inheritance from other roles. To define a role, you specify a non-arbitrary name, a friendly description, and some lower-level tasks, roles, and operations that are part of it. This provides a mechanism for role inheritance. For example, a Helpdesk role might include a Product Support role. You can specify an authorization rule, which may be either VBScript or JScript. For more information, see VBScript at the Microsoft Web site and JScript at the Microsoft Web site.
If there are several authorization rules associated with a role definition (for example, it has several subroles and tasks), the authorization rules run synchronously. In Authorization Manager, the order has no effect on authorization.
A role assignment is a virtual container for application groups whose members are authorized for the role. A role assignment is based on a single role definition, and a single role definition can be the basis of many role assignments.
The most common procedure that administrators carry out is the assignment of application groups, or Windows users and groups, to a role. For step-by-step instructions, see Assign an application group to a role or Assign a Windows user or group to a role.
A task definition is smaller than a role definition and can be used to define roles and other tasks.
With Authorization Manager, you associate tasks with roles in an intuitive way. For example, the Recruiter role might include the Interview task. Tasks, like roles, are defined in a way that is appropriate to the organization. To define a task, you specify a name, a friendly description, and some lower-level tasks and operations that are part of it. You can also specify a VBScript or JScript authorization rule.
Operations are small computer-level actions that are used to define tasks and usually are not relevant to an administrator. You define operations only in developer mode.
You can set operation definitions at the application level, but not at the authorization store level or the scope level. An operation definition includes a name, a description, and an operation number. The operation number X must be an integer from zero to 2147483647 (that is, 0 ≤ X ≤ 231 - 1). The operation number is used by the application to identify the operation, so entering a wrong operation number will cause a bug in the application. For more information about creating or editing operation definitions, see Create an operation definition or Edit an operation definition.