Understanding Authorization Manager Application Groups

  • Article

Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012

In Authorization Manager, recipients of authorization policy are represented by the following different kinds of groups:

  • Windows users and groups. These groups include users, computers, and built-in groups for security principals. Windows users and groups are used throughout Windows, not only in Authorization Manager.

  • Application groups. These groups include basic application groups and Lightweight Directory Access Protocol (LDAP) query groups. Application groups are specific to Authorization Manager role-based administration.

Important

An application group is a group of users, computers, or other security principals. An application group is not a group of applications.

  • LDAP query groups. Membership in these groups is dynamically calculated as needed from LDAP queries. An LDAP query group is a type of application group.

  • Basic application groups. These groups are defined in terms of LDAP query groups, Windows users and groups, and other basic application groups. A basic application group is a type of application group.

  • Business rule application group. These groups are defined by a script written in either VBScript or JScript, and result in group membership being determined dynamically at run time according to criteria you define.

Windows users and groups

For more information about groups in Active Directory Domain Services (AD DS), see Role-Based Access Control for Multi-tier Applications Using Authorization Manager (https://go.microsoft.com/fwlink/?LinkId=64287). For more information about security principals that are not stored in AD DS, see the Security Principals Technical Reference (https://go.microsoft.com/fwlink/?LinkId=129213).

Application groups

When you create a new application group, you need to determine whether you want it to be an LDAP query group or a basic application group. For Authorization Manager role-based applications, any authorization you can do with Windows users and groups can also be done with application groups.

Circular membership definitions are not allowed, and result in the error message "Cannot add <Group name>. The following problem occurred: A loop has been detected."

LDAP query groups

In Authorization Manager, you can use LDAP queries to find objects in AD DS, Active Directory Lightweight Directory Services (AD LDS), and other LDAP-compliant directories.

You can use an LDAP query to specify an LDAP query group by typing the desired LDAP query in the space provided on the Query tab of the Properties dialog box of the application group.

Authorization Manager supports two types of LDAP queries that can be used to define an LDAP query group: Authorization Manager version 1 queries and LDAP URL queries.

  • Authorization Manager version 1 LDAP queries

    Version 1 LDAP queries provide limited support for the LDAP URL query syntax described in RFC 2255. These queries are limited to querying the attribute list of the user object specified in the current client context.

    For example, the following query finds everyone except Andy:

    (&(objectCategory=person)(objectClass=user)(!cn=andy)) .

    This query evaluates if the client is a member of the StatusReports alias at northwindtraders.com:

    (memberOf=CN=StatusReports,OU=Distribution Lists,DC=nwtraders,DC=com)

    Authorization Manager continues to support version 1 queries so that solutions developed by using earlier versions of Authorization Manager can be upgraded with less effort.

  • LDAP URL queries

    In order to remove limitations on objects and attributes that can be searched, Authorization Manager supports an LDAP URL query syntax based on RFC 2255. This allows you to create LDAP query groups that use directory objects other than the current user object as the root of the search.

    An LDAP URL begins with the protocol prefix "ldap" and follows this format:

Note

Distinguished name is also known as DN.

ldap://<server:port>/<baseObjectDN>?<attributes>?<queryScope>?<Filter>

Specifically, the following grammar is supported:

       ldapurl    = scheme "://" [hostport] ["/"
                    [dn ["?" [attributes] ["?" [scope]
                    ["?" [filter]]]]]]
       scheme     = "ldap"
       attributes = attrdesc *("," attrdesc)
       scope      = "base" / "one" / "sub"
       dn         = distinguishedName 
       hostport   = hostport 
       attrdesc   = AttributeDescription 
       filter     = filter

For example, the following query returns users whose company attribute is set to "FabCo," from the LDAP server running on port 389 on a host named "fabserver":

ldap://fabserver:389/OU=Customers,DC=FABCO-PN,DC=com?*?sub?(&(company=FabCo)(objectClass=user)(objectCategory=user))

When using an LDAP URL query, you can use the special placeholder value %AZ_CLIENT_DN%. This placeholder is replaced with the distinguished name (DN) of the client making the access check. This allows you to construct queries which return objects from the directory based on their relationship to the distinguished name of the client making the request.

In this example, the LDAP query tests whether the user is a member of the "Customers" OU:

ldap://server:<port>/OU=Customers,DC=FABCO-PN,DC=com?(objectclass=*)?sub?(& (objectClass=user)(objectCategory=user) (distinguishedName= %AZ_CLIENT_DN% ))

In this example, the LDAP query tests whether the user is a direct report of a manager named "SomeManager" and that the "searchattribute" of SomeManager is equal to the particular value "searchvalue":

ldap://server:port/Cn=SomeManager,OU=Users,DC=FABCO-PN,DC=com?(objectclass=*)?base?(&(searchattribute= searchvalue) (directreports = %AZ_CLIENT_DN%))

For more information about the syntax of an LDAP URL query, refer to the text of RFC 2255 (https://go.microsoft.com/fwlink/?linkid=65973).

Important

If the LDAP query starts with "ldap," it is treated as an LDAP URL query. If it starts with anything else, it is treated as a version 1 query.

Basic application groups

Basic application groups are specific to Authorization Manager.

To define basic application group membership, you need to:

  1. Define who is a member.

  2. Define who is not a member.

Both of these steps are carried out in the same way:

  • First, you specify zero or more Windows users and groups, previously defined basic application groups, or LDAP query groups.

  • Second, the membership of the basic application group is calculated by removing any nonmembers from the group. Authorization Manager does this automatically at run time.

Important

Non-membership in a basic application group takes precedence over membership.

Business rule application groups

Business rule application groups are specific to Authorization Manager.

To define business rule application group membership, you must write a script in either VBScript or JScript. The script source code is loaded from a text file on the Properties page of the business rule application group.