Overview of Authorization Manager

Applies To: Windows Server 2008

Important

Authorization Manager is available for use in the following versions of Windows: Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows XP, Windows Vista, Windows 7, and Windows 8. It is deprecated as of Windows Server 2012 R2 and may be removed in subsequent versions.

The role-based management model enables you to assign users to roles, and gives you a central place to keep track of what permissions have been given to each role. This model is often called role-based access control (RBAC).

Once Authorization Manager is configured, and users have been assigned to roles, most settings that authorize users for specific actions are made automatically. You can also apply very specific control by using scripts. The scripts, called authorization rules, enable you to apply fine-grained control over the mapping between access control and the structure of your organization.

Authorization Manager can help provide effective control of access to resources in many situations. Generally, two categories of roles often benefit from role-based administration: user authorization roles and computer configuration roles.

  • User Authorization roles are based on a user's job function. You can use authorization roles to authorize access, to delegate administrative privileges, or to manage interaction with computer-based resources. For example, you might define a Treasurer role that includes the right to authorize expenditures and audit account transactions.

  • Computer configuration roles are based on a computer's function. You can use computer configuration roles to select features that you want to install, to enable services, and to select options. For example, computer configuration roles for servers might be defined for Web servers, domain controllers, file servers, and custom server configurations that are appropriate to your organization.

Using developer mode and administrator mode in Authorization Manager

With Authorization Manager, you can use the following two modes:

  • Developer mode. In developer mode, you can create, deploy, and maintain applications. You have unrestricted access to all of the Authorization Manager features.

  • Administrator mode. This is the default mode. In administrator mode, you can deploy and maintain applications. You have access to all Authorization Manager features, but you cannot create new applications or define operations.

Commonly, Authorization Manager is used by custom applications written for a specific purpose in your environment. These applications usually create, manage, and use an authorization store by calling the Authorization Manager application programming interfaces (APIs). In that case, developer mode need not be used. For more information about using Authorization Manager programmatically, see Resources for Authorization Manager.

When you use developer mode, it is recommended that you run Authorization Manager in developer mode only until the authorization store, application, and other necessary objects are created and configured. After you initially set up Authorization Manager, run Authorization Manager in administrator mode. For more information about using developer or administrator mode, see Set Authorization Manager Options.

Comparing Authorization Manager to other management tools

Authorization Manager is capable of implementing multiple configuration and permission changes at once. There are other management tools available with this version of Windows and Windows Server 2003 family of operating systems that can also be used to configure access permissions, sometimes in ways comparable to Authorization Manager. These include:

  • ACL Editor The access control list (ACL) editor sets access control policy for objects stored in Active Directory Domain Services (AD DS), Active Directory Lightweight Directory Services (AD LDS) and Windows objects. Authorization Manager differs from the ACL editor by letting you base your access control on roles (usually based on particular job tasks), not just on group membership, and by tracking the permissions that have been granted.

  • Delegation of Control Wizard The Delegation of Control Wizard also sets multiple permissions automatically, but, unlike Authorization Manager, it does not provide a method to track or remove permissions that have been granted.

Additional references