Updated: January 21, 2008
Applies To: Windows Server 2008
Authorization Manager has been improved in the Windows Server® 2008 operating system with several new features and improvements. Authorization Manager provides a flexible framework for integrating role-based access control into applications. It enables administrators who use those applications to provide access through assigned user roles that relate to job functions.
Authorization Manager applications store authorization policy in the form of authorization stores that are stored in Active Directory Domain Services (AD DS), Active Directory Lightweight Directory Services (AD LDS), XML files, or SQL databases.
Authorization Manager is a role-based security architecture for Windows that can be used in any application that needs role-based authorization, including ASP.NET Web applications, ASP.NET Web services, and client/server systems based on .NET Remoting. The role-based management model enables you to assign users to roles and gives you a central place to record permissions assigned to each role. This model is often called role-based access control.
Once Authorization Manager is configured and users have been assigned to roles, most settings that authorize users for specific actions are configured automatically. You can also apply very specific control by using scripts. The scripts, called authorization rules, enable you to apply detailed control over the mapping between access control and the structure of your organization.
Authorization Manager can help provide effective control of access to resources in many situations. Generally, two categories of roles often benefit from role-based administration: user authorization roles and computer configuration roles.
User authorization roles. These roles are based on a user's job function. You can use authorization roles to authorize access, to delegate administrative privileges, or to manage interaction with computer-based resources. For example, you might define a Treasurer role that includes the right to authorize expenditures and audit account transactions.
Computer configuration roles. These roles are based on a computer's function. You can use computer configuration roles to select features that you want to install, to enable services, and to select options. For example, computer configuration roles for servers might be defined for Web servers, domain controllers, file servers, and custom server configurations that are appropriate to your organization.
Application developers who are creating line-of-business applications that require access control based on roles and IT professionals who manage and maintain those applications will be interested in Authorization Manager.
Authorization Manager requires a data store that correlates roles, users, and access rights. This data store can be maintained in a SQL database, an Active Directory database, or an XML file. If an Active Directory database is used, AD DS must be at the Windows Server 2003 functional level.
In Windows Server 2008, several new features are available in Authorization Manager. These include:
Authorization Manager stores can now be stored in an SQL database, as well as in AD DS, AD LDS, or in an XML file.
Support for business rule groups (groups whose membership is determined at run time by a script) is now available.
Support is now available for custom object pickers, so that application administrators can use the Authorization Manager snap-in for applications that use AD LDS or SQL user accounts.
Many improvements and changes to the core architecture of Authorization Manager have been made in Windows Server 2008 to enhance its functionality. The changes that affect the IT professional or application developer are:
The Authorization Manager application programming interface (API) now includes optimizations of common functions and simpler, faster versions of commonly used methods, such as AccessCheck.
Lightweight Directory Access Protocol (LDAP) queries are not limited to only user objects.
Additional events are recorded in the event log if auditing is active.
The use of business rules and authorization rules is controlled by a registry setting. In Windows Server 2008, rules are disabled by default. In earlier versions of Windows, rules were enabled by default.
If you are interested in implementing role-based access control functionality in your organization, you should determine which roles will be given access and their access rights before starting Authorization Manager application development. You should also determine which type of data store you will use and then test the response time and the potential number of active client computers to make sure that your infrastructure design can support the workload of your organization. Lastly, you should have a comprehensive user education program to inform users of their roles, the access permissions of those roles, and how the different roles interact.
Authorization Manager is available in all editions of Windows Server 2008 on both 32-bit and 64-bit versions.