Use Authorization Manager to make roles based on role access control for multi-layer applications

Use Authorization Manager to make roles based on role access control for multi-layer applications

Author: Dave McPherson (Microsoft Corporation)

Acknowledgment: Thank you very much for Jason Rush, PraRit Garg, Don Schmidt, Paul Leach and Doug Bayer support.

This page

Introduction Authorization Policy Storage Application Management Audit Application Design Process Develop Authorization Manager Application Performance Specific Environment Design • Internet Information Services 6.0 URL Authorized Scene: Web Expensive Appacts: Use Authorization Manager with Custom Main Body

Introduction

In the Windows Server 2003 family, Authorization Manager (Authorized Manager) is an application authorized for application in the Windows platform to introduce a new model. Authorization Manager provides a easy-to-use license framework for business applications. In this framework, you must grant user access based on the role in your organization or application. In order to achieve this requirement, the application often creates a custom implementation of authorization mechanisms, which increases development costs and management complexity because there are different authorization models. Authorization Manager provides an application based on role-based access control, which makes it easier to manage easier and web-based applications or business applications.

ACL and business applications

Since the Private Object Security API is introduced in Microsoft Windows NT Server 4.0, the Windows operating system has supported using ACLs in the application's access control. In the ACL model, you can attach any access control list (DACL) to the secure object, and can make an access decision by calling the AccessCheck App Programming Interface (API), the interface views the user group in the token. Members qualification and compare them to the content of the ACL to determine if the user has access to access. The ACL model is ideal for many types of applications. Define a clear persistent object's resource manager (such as NT system registry) to properly use the ACL model to provide object level access control. In these types of applications, it is always possible to make an access control decision according to the access request of existing systems. In the future, applications using the ACL model should use Authzapi, Authzapi is introduced in Windows XP and Windows Server 2003 families. It provides performance and flexibility enhancement (compared to Windows NT Private Object Security API). To get more information about Authzapi, see Microsoft Platform Software Development Kit (Microsoft Platform Software Development Kit).

Some business (LOB) applications have completely different licensing issues, such as Web spending reports or shopping applications. For these applications, authorization decisions do not determine access to defined a clear persistent object. Instead, they verify the workflow or perform multiple different operations, such as querying the database and sending an email. In the LOB application, access decisions are often based on business logic, such as the number of quantities or workflows submitted in the expense application, rather than just based on token group membership. There is no space that does not contain a defined deprecated persistent object to store the ACL, so the ACL model may be difficult to apply to these applications. Role-based access control

Traditional access control management models are object-based. In these models, access control is specified in an object or object container (eg, in ACL), and the administrator must go to the object to query and specify access to the object. These models require administrators to convert organizational authorization policies to objects: Each object has a list of access to different users and groups in your organization. Role-based access control (RBAC) simplifies access control management, and allows you to manage privileges based on user work roles, thereby providing better manageability in your organization.

You can use the group to implement some of the purpose of role-based access control. A group corresponds to an employee role, and the application administrator can specify the permissions required to grant the role by granting group permissions in the object's DACL. As the target set is increasing, the number of places where administrators need to manage is constantly increasing. Continuous use resource groups and user groups can help reduce their efforts to minimal, but this requires constant practice and administrators and the exact definition of resource groups. These processes slow down management process, so administrators often avoid them.

In addition, with the increase of the number of objects, access to a specific group or role will become more difficult to grant a specific group or role. In order to accurately determine what permissions given to the user or group, the administrator must check the permissions on each object. Although the inheritance function seems to simplify this work, each object avoids the ability to inherit the permissions, still makes it necessary to view each object to fully understand the authorization policy. Since there are too many objects that need to query, there is sometimes few access control status for specific groups or users.

Role-based access control attempts to allow administrators to specify access control based on the company's organizational structure. RBAC achieves this by creating a new object called role (Role). You can assign users to perform a role of a certain work function. However, in fact, the group is that the role will define the authorized rights limit on certain part of the resource. In the RBAC model, administrators use roles to manage privileges and assignments. For example, the company may create a role called sales manager (Sales Manager), the sales manager needs this role to meet their work needs. When employing sales managers, they assigned sales managers roles, and they can immediately have all the permissions required for this job. When they leave the sales manager, they will be removed from the sales manager role and no longer have access to sales managers. Since the role makes access to access according to the company's organization model, the specified access control is more intuitive and natural for administrators. Figure 1 identifies the relationship between roles, users, and privileges. In this model, the role is an object granted permission, and the role is assigned to the user.

Figure 1: Role-based access

RBAC maps the user's work role to application permissions so that access control management can be done according to user working roles. The RBAC system converts user role membership into application permissions. Since permissions are granted on the role, you can query and change your permissions on the role without checking specific resources. In most environments, once role permissions are established, the role permissions are rare (compared to changes in the role assignment). This means that administrators will have to set roles, such as employee, managers, and administrator, but once the role is created, the administrator will manage members in the management role instead of the subject. Authorization Manager concept model

Authorization Manager is a set of COM-based runtime interfaces that allow applications to easily manage and verify client requests to perform application operations. In addition, Authorization Manager provides the Microsoft Management Console (MMC) plugin, and application administrators can use the plugin to manage user roles and permissions.

Authorization Manager:

• Simplify application access control management in business applications. • It can provide a concise and natural development model. • You can enable flexible, dynamic authorization decisions.

In general, you can define an access control model using the term topic, resources, and permissions. Theme is often the operation of the user's resource. Access is controlled by a set of permissions, this set of permissions allows the subject to perform a specific operation on the resource. Management of access control rarely handles these constructs, and more common is the collection of management topics, resources, and privileges. You usually manage topics or users in groups, and manage resources in an application-specific collection (such as: directory or organizational unit). Although permissions can be granted directly, the permissions are often pivoted to higher levels, such as full control (Full Control). These collections have enabled authorization management in an environment with multiple topics, resources or privileges. Application administrators must use these collections to develop an application's authorization policy, so that each topic has appropriate permissions to use application resources.

Traditional resource manager stores the resource of the authorization policy and the policy application. For example, the ACL in the file is stored by the resource manager and is logically associated with the file. In the Authorization Manager model, the authorization policy data is stored separately in the authorization policy storage. The application identifies the operation or task that the application can perform, and declaration in the authorized repository when the application is installed. Administrators manage authorization policies by defining roles (tasks and operations needed to work in the execution organization). Define roles, tasks, and operations, and information to role assigners and groups are stored in the authorized repository. The application queries the authorization policy at runtime to confirm that the authorized client is authorized to perform the requested operation. Authorization Manager provides an API to manage authorization policies and check the validity of administrators' access controls and user interfaces so they can manage authority storage. The following figure shows the authorization stores provided by the Authorization Manager for the authorized repository provided by the application and administering the authorized repository and showcase the relationship between each Authorization Manager object.

Figure 2: Object relationship in Authorization Manager View full size image.

definition

This section describes the objects used by Authorization Manager to manage authorization policies.

Operation: The Explorer uses low-level permissions to identify the security process. Several operations may require a meaningful task. For administrators, the operation is often undisclosed or meaningless. The operating example can be WRITEATTRIBUTES or readAttributes (read attributes). Task: Low level operation set. The task is used to determine which low-level operations are required to complete certain work units that make sense to the administrator. Task paradigm may be a change password. Tasks can also contain other tasks. For example, the task called the Manage User Accounts can include change the password, reset the password, disable the account (Disable Account). Role Definitions: The collection of permissions required for a particular role, where permissions can be tasks or operations. Note that this definition is similar to the definition of the task. Role: The user must have a collection of permissions necessary to complete their work. The role is applied to a set of objects and the user is assigned to the role. BizRules, also known as authorization script: attached to the script of the task object, running when accessing the request. It can use only information available only when running (such as "Time" or "Dollar Average of the Dollar") to make an authorization decision. Scope: A collection of objects or resources that uses a completely different authorization policy. The scope can represent a physical collection (such as a folder), or represent more complex resource collections (such as: *. Doc). Applications can use a part of the action to group resources, and must be able to map the requested resource to its scope when the application checks the user's access. Application Groups: You can only apply to groups of applications or applications within an authorized repository, an application within a repository. Authorization Manager implements two types of application groups. Application Basic Groups: Part of the application group, member list maintained for a set of applications, single applications, or scopes within the application (Active Directory users or groups or other applications) Program group). The application group can also identify non-members, which is considered that there are some abnormalities, such as a large group can be used with a small group or excluded a particular user. LDAP Query Groups: Part of the application group that is defined by the Lightweight Directory Access Protocol, LDAP in a specific Active Directory user account property. Flexible group members can be provided, which can be defined according to user account properties and remain updated. Back to top

Authorization policy storage

When an application using Authorization Manager is initialized, it loads authorization policy information from the repository. Authorization Manager provides support for storing authorization policies in Active Directory or .xml files. Important note: Because the authorization policy information is stored by Active Directory or stored in the NTFS file, it protects the security functions of Active Directory or NTFS, and the audit support for the changes directly to the storage is located. The system is processed. Additionally, administrators in the system containing the authorization policy storage have a high permission to access the repository. Therefore, the authorization policy store must be in a trusted system.

Active Directory Authorization Manager Storage

To store the Authorization Manager policy using Active Directory, the domain must have a functional level of Windows Server 2003. The Active Directory in the Windows Server 2003 family contains the mode update of the Authorization Manager object. When using Active Directory storage, Authorization Manager creates an Active Directory object for the repository itself and each application group, application, operation, task, role, and scope. The scope object can include tasks, roles, and groups created in this scope.

When using an Active Directory Authorization Policy Repository, the application controls when to load the application object. When the application is connected to the policy repository, the storage global property (including the repository level group) is locally buffered with the header information of each application. When the application uses the OpenApplication method to initialize its authorization policy, each scope of application properties, roles, tasks, operations, application groups, and header information are loaded into memory. Once the application is loaded, it holds a buffer state in memory until the application object is released. The scope is loaded on demand; or when specifies a scope in the call to AccessCheck, or when using the OpenScope method. Once the scope is loaded, it keeps the buffer state in memory until the application object is released.

Active Directory does not support compulsory transaction in multiple objects or properties, so you can edit the repository simultaneously by two management applications. In this case, the repository may be destroyed. Because of this, we recommend that the application is regularly backup their authorized repositories. For more information on the Active Directory backup and recovery tool, see "Active Directory" in Windows Server 2003 Help.

Active Directory administrators need deployment

Application administrators can benefit from using the Active Directory storage authorization policy. The Active Directory Storage allows applications to provide storage, availability, redundancy, and authorization policies for applications using existing domain infrastructure. Active Directory administrators deploying Authorization Manager should consider the following information:

Domain mode requirements

The Authorization Manager Active Directory Store requires the domain located in the Windows Server 2003 functional level.

Authorization Manager Active Directory impact on infrastructure

Authorization Manager is running any applications or services in the Domain Controller running in the Domain Controller. Active Directory can be used to store authorization policy data.

When initialization and download the desired application domain policy, the application policy information is downloaded using the policy. This read-on domain controller will change when the application reads the policy information. The size of the authorization policy of the application or scope will vary with the number of roles, tasks, operations, and group changes as the role domain. Although the size of the application group can be changed, it is recommended that you do not use the application group for large groups so that the performance of the application is not affected. Although the size of the group and roles can be changed, it may be similar to the Active Directory group. The processing time consumed by the reading group or role is as much as the processing time consumed by members of the Active Directory group that contains the same number. Although the application group can have the same maximum capacity as the Active Directory group, it is usually smaller than the Active Directory group because they are for use only. When you need to include a group of more than 5,000 members, if possible, we recommend that you use the Active Directory group to replace the application group. Close to the requirements

Applications require high quality access to the Authorization Manager policy. Although the execution of a single application in narrowband scenarios may be acceptable, unless they have a small authorization repository, the domain controller is usually located in the LAN (LAN) of the application server.

copy

Authorization Policy Repository is copied to all domain controllers in the domain of storage authorization policies, and the Authorization Manager object is referenced in each global directory server in the forest.

A separate domain or forest can be used to store the Authorization Manager policy. You can choose to make this to minimize the copy traffic in the domain, thereby minimizing the load on the domain controllers within the account domain, or you can choose to manage the Authorization Manager policy repository. Use a separate domain or forest to establish a correct trust between the domain (account field) of the user account and the domain of the Authorization Manager (Authorization Manager storage domain). The trusted configuration required depends on what domain in what domain from the administrator of the Authorization Manager policy and the application server and all backend resources.

Deploy the Authorization Manager repository in Active Directory

Next, the step-by-step guidance on deploying the Authorization Manager repository deployed in Active Directory is given.

1. Select the Authorization Manager Active Directory repository To deploy Authorization Manager in Active Directory storage, you must select the location of the repository. It is recommended that administrators create a new organizational unit (OU) in the domain's Program Data container and create a repository object in the new organizational unit. This recommendation is not mandatory. If your application has data in a container other than Program Data, you can put the Authorization Manager repository into it. Authorization Manager cannot be placed in a non-domain name context (also known as application partition). 2. Creating an Authorization Manager repository application can create an Authorization Manager policy repository in Active Directory itself through the Authorization Manager API, and administrators can also create a repository by using Authorization Manager MMC. To achieve this, the user or application attempted to create a repository must have a Create Child Object permission in the previously selected container, and must know the proprietary name of the container. To learn more about creating a repository using the Authorization Manager MMC plugin, see the Authorization Manager seal. 3. Role and Authorization Library Access If the application administrator uses the program to create a repository, then they should have permission to manage the repository. If the repository is created manually by the Active Directory administrator, the permission to manage the repository must be given the application administrator using the repository. The Authorization Manager MMC can be used to grant application administrator access to manage the authorization policy repository. The authorization policy within the repository is managed by the application administrator. Authorization Manager Active Directory Storage Allows the application administrator to delegate the application's management and scope within the repository. Since the application service account using the license policy must be able to read the policy repository, the application service account must include in the reader role, and the reader role can belong to the appropriate repository or application or repository. area. 4. Enable Windows Authorization Access Group Note: This step is required only when the application designer uses the INITIALIZECLIENTEXTFROMNAME and INITIALIZECLIENTEXTEXTFROMSTRINGSID method to create a client on the application. Use InitializeClientContextFromToken applications don't need this step. If you don't dare to affirm which APIs will be used by the application server, you can ask an application administrator or designer, and they should know. These methods are attempting to read the user token-groups-global-and-universal property in Active Directory so that the user's Active Directory group member qualification information is obtained. To read this information, the application service account must have read (read) permissions for this property of each user object.

If the domain is configured for "WINDOWS 2000 previously versions" (ie "Everyone" group in the "WINDOWS 2000-compatible Access" group), "verification" by default The user "" "group will have access to the InitializeClientContextFromName or InitializeClientContextFromstringsID method. If this domain is set for Windows 2000 and "Windows Server 2003 Compatibility", only "Concurrent User" groups are in the "Concurrent Version Access" group in the previous version of Windows 2000. In this case, the application service account will have the permissions required to call the InitializeClientContextFromName or InitializationContextFromstringsID method. If the domain has been locked (ie, the Active Directory administrator limits the default access), "Windows 2000 previous version is compatible with the previous version" is likely to be empty. In this case, the server is calling the InitializeClientContextFromNameOfSid interface. Maybe will fail. If this is the case, in order to grant access to the service account, it is recommended that you first add a service account to the Windows Authorization Access group, and then grant "Windows Authorization Access" group to access each user token-group -global-and-universal property permission (if it does not have this access to this access). To learn more about the Windows Authorization Access group (a new group belonging to the Windows Server 2003 family), search for the term in the Microsoft Knowledge Base (http://support.microsoft.com/). XML file storage in Authorization Manager

Authorization Manager supports the authorization policy (ie stored in the NTFS volume) through the .xml file storage. The XML repository can be saved on the same computer as the server application using the Authorization Manager API, or remote saving.

In order to support the renaming of the object, the XML format contains the global unique identifier (GUID). Therefore, you should not edit the .xml file directly. In addition, XML mode is currently not released. You can edit the repository via Authorization Manager MMC, or you can edit the repository via the Authorization Manager interface, and the Authorization Manager interface can be used for scripting languages, such as: Microsoft Visual Basic Scripting Edition (VBScript) and JScript. XML storage does not support commission because access to the XML file is controlled by any access control list (DACL) controlled by the file permitted or restricted to access the entire content of the file.

It is recommended that the application administrator regularly backs up their authorized repository. When multiple applications are written to the same file, NTFS file systems do not support them in a file to write a series of separate write operations as a single logical write operation. (These operations are sometimes referred to as transaction operations.) Since the Authorization Manager policy store can be edited by two management applications at the same time, the repository may be destroyed. Back to top

Application management

After installing the application, the administrator's job is to add any new roles you need, verify the permissions on the initial role (if present), and assign users to the role. If the application creates a set of tasks with meaningful names, the administrator settings will be much easier to set up the initial role.

The characteristic of role-based access control is to make management more intuitive and easier. To achieve this, administrators must design a policy that deploy roles in the application, which is similar to the user's work description. Once the role is established, the focus of management is mainly membership within the management role, so it is very important to test each role permission. In general, it should only be granted permissions required for each role, and then add permissions when needed, not to grant too much permissions, and then delete unwanted privileges, the former is more secure.

Management scope

Typically, a scope is created by an application, and then the role is created and managed by the administrator in a scope. If this method is used, the administrator does not have to know the application scope syntax and application logic used to enable user access requests and scope.

When the application allows the administrator to create a scope, the application must provide documentation, only this, the administrator can understand how to create a correct named scope, because the scope is defined by each application, and the application will put Each access request is mapped into an appropriate domain.

Scope allows administrators to divide application resources into physical or logical sets, and specify different authorization policies in each scope. Due to the definition of tasks and roles, they are globally for applications (in other words, all in all scopes), so the roles created for different scopes can use the same global definition Has different membership qualifications. This makes it possible to redefine permissions in each scope. If role or task (such as administrator or full control) will have the same permissions in each scope but different people will be assigned, this method is very useful.

Important: Authorization Manager has a default scope. Permissions granted to roles in the default scope are applied to all scopes in the application. For this reason, only the role assignment of all scopes applied to the application should use the application default scope.

Role inheritance

Since the process of establishing a role involves dispatching user permissions, it is necessary to be particularly careful. To reduce the required verification and analysis to a minimum, you can design a new role model to use the work made by the existing role.

Figure 3: Role inheritance View full size picture.

Role definitions involve tasks and operations of privileges that define roles. Using the role definition allows the role to be defined in inheritance, that is, create a new role through an existing role.

Management commission

The Authorization Manager supports the authorized repository, application, and scope level management delegation when using the Active Directory Authorization Manager policy repository. This makes higher-level administrators to give other administrators with certain parts of the authorization policy. Administrators in storage, applications, or scope can perform all operations required for the authorization policy within the scope of the management, and readers can only read authorization policies. In addition, you must also add authorized users of the delegate or application to the DELEGATED User management role. This allows users to view groups created in application level and repository levels. After commissioning the scope (because one or more mains are located in the management role of the scope), BizRules cannot be added to the task or role definitions created in the scope. The delegate domain can use BizRules defined by the application level task and role. The storage library-level administrator can also block BizRules to run by setting the value of the Scriptenginetimeout's storage level to 0. After doing so, AccessCheck assumes that existing BizRules will return to false and will not grant access to access by tasks or role definitions containing BizRule.

Use the Authorization Manager application group

Authorization Manager introduces two types of groups, applications basic groups, and LDAP query groups. Authorization Manager can use these two groups to simplify applications that need to maintain the group of security mains. (Behind this article will discuss these aspects more detail.) For the Authorization Manager policy repository, the Authorization Manager application group can be a global group, which can be used for an application and is used by all the scope within the application. The repository, or any application in a single application-specific repository can use the Authorization Manager application group. Some applications need to manage user groups without having to rely on updates to domain groups (this may be managed by different people). Domain administrators may need to maintain less groups without managing application-level groups. There may be a certain delay between the request and the actual changes made by the Active Directory. In addition, some groups are just the needs of certain applications, if these applications can manage group membership, domain administrators do not have to be involved.

Application Basic Group

Application Basic Group is similar to traditional Windows domain groups because it is a collection of member security mains, but it is different from traditional groups because it contains non-member lists or negative lists of the security host, allowing traditional use rejection in the object. (DENY) Access Control Entries (ACE) exceptions. The security entity added to the non-duty list will never be a member of the group, even if they are directly or indirectly granted to membership in the member list. The application base group stores each member and non-member security identifier (SID) so that the application group will increase with the increase of the Authorization Manager repository. Since the application will load some authorized storage library to memory, membership of large groups and roles may increase the time required to initialize the Authorization Manager repository, application, or scope objects.

When the application group becomes very large:

• Initializing storage, initializing applications, and calling AccessCheck performance will be affected. • Need to invest more funds in your application. • There are more loads in the domain when the application is initialized and refreshed. • Members in the application group often change, which requires more frequent refresh cache.

Therefore, we strongly recommend that when the application group has developed to approximately 2,000 members, they should be converted to the Active Directory group. (To get more information about performance, see the Performance section later.) When the user logs in or when the system creates the user context, the member qualification of the user Active Directory group is determined, and it does not affect the initialization Authorization. The time required for Manager, applications, or scope. LDAP query group

Typically, the group is a collection of users who remain in Active Directory, which have similar properties for the Active Directory account. For example, users working in a particular cost center may be in a group of the cost center, even if the cost center information is saved in the Active Directory as the property of each user account. When the user shifts from a cost center to another, the administrator must update the two cost center groups and the cost center properties of the user object. In order to be able to take advantage of user properties, the Authorization Manager provides an LDAP query group without having to place the same information in multiple locations.

Members in the LDAP query group are determined by using LDAP queries in a given user object. This allows the application to use user attributes as groups in the role and eliminate the trouble of managers manage those group members. Application administrators can control members by creating an LDAP query group based on the feature of the user account. The following is some examples of writing LDAP query groups.

All members of the Managers group are:

(MEMBEROF = CN = Managers, OU = Distribution Lists, DC = NWTRADERS, DC = COM)

All members of 18 years old.

(Age> = 18)

All German users

(country = germany)

German users over 18 years old

(& (agn> = 18) (country = germany)))

The LDAP query group requires the connected user account to remain in Active Directory, but they are also supported when using XML-based Authorization Manager policy repository. AccessCheck performs an evaluation of the LDAP query group when calling, so when implanted an LDAP query in the role, call AccessCheck requires more time, because you need to perform LDAP search in Active Directory when evaluating queries. When the members in the LDAP query group in the client context, the initial AccessCheck call is relatively slow because many LDAP query groups need to be evaluated.

Enterprise role

Since the Authorization Manager role is defined according to the permissions required by the role in the application, the role cannot cross the application. In order to make the roles in different applications have the same member qualifications, a public group can be used to implant the application role. This can be done using the Windows group. If the application is managed by the same Authorization Manager policy repository, you can also use the application group to complete. These groups are visible for each application and include role members defined in multiple applications. Therefore, these groups can be assigned as a member of the role in each application. By using the Active Directory globally or universal group, the application role in an organization can have similar memberships across applications and Authorization Manager policy repositories.

Back to top

Review

Authorization Manager provides two types of audits.

• Authorization Manager runtime review • Authorization Manager policy storage Change audit Authorization Manager runtime review

Authorization Manager runtime audit audit audit:

• Application Initialization • Client initialization or deletion • All audit passes and audit failed AccessCheck calls

The audit can be configured on a repository or application level. Authorization Manager runtime audit can be enabled through the GenerateAudits feature of the AzauthorizationStore interface, which is stored in the Authorization Manager policy repository.

To use the Authorization Manager runtime review, the system running Authorization Manager must enable the audit, and the context of the Authorization Manager interface must have se_audit_name or generate audits permissions. If an application needs to enable the audit, you can get audit permissions by passing the AZ_AZSTORE_FLAG_Audit_is_critical flag to IAZAUTHORIZATIONSTORE :: Initialize. This requires the application to have SE_AUDIT_PRIVILEGE, otherwise IAZAUTHORIZATIONSTORE :: Initialize will fail.

Authorization Manager Policy Repository Change Review

When the Authorization Manager audit policy changes, the Authorization Manager policy storage is triggered. Because Active Directory supports Active Directory object audits, you can use the Active Directory system audit audit Active Directory repository change, which can be configured on storage, application, and scope levels. You can use the System Access Control List (SACL) on the object to review the change of the XML repository as a whole.

Back to top

Application design process

Choosing good roles, tasks, and operations are part of the application design. This section will provide some information to help you design the application.

Determine operation

The operation is a low level, indicating the privileged operation or capability of the application. You must create an operation for each routine, query, method, etc. that contain a single application function that needs to be accessed. Single operation is not enough to perform a advanced task, but more advanced tasks may be required, but the operation itself is always performed as a unit and must be protected.

For example, an operation itself (eg, ReadorderInfo) is not enough to perform advanced task Process ORDER, while another advanced task (such as query order status) may require the same routine. Create an action for the required routines to create conditions for better permission specifications. The more accurately defined, the higher the flexibility of administrative privileges. However, the operation is defined too accurate, and management will be more complicated.

For many resource managers, the operation corresponds to the securely secure routine, programs or queries for processing data or resources. The operation may be low-level, which is only meaningful for application developers. In order to create permissions for administrator meaning, application developers need to group low-level operations into the Authorization Manager task object.

Figure 4: Operation and task View full size image.

Define task

As mentioned above, the application needs to be operated for routine definitions of each run as a unit and must be protected. Through this allows the application to grant access to access more accurately, but multiple operations need to perform applications to disclose advanced tasks disclosed by users. In this case, you must determine which action to perform this advanced task and create an Authorization Manager task object for this advanced task. This requires some research in management. Task objects simplify role management by providing meaningful advanced authority sets, which corresponds to administrators to administer the application tasks performed by the authorized user. Therefore, for the application, the installation of the full task set to control all the use of the application is very important. Figure 4 shows how to use task objects to combine permissions into advanced tasks. BizRules

The Authorization Manager Task object has an additional functionality that is limited to the permissions granted in the task based on the additional VBScript or JScript of the task. This allows access control decisions to consider runtime data, such as the amount of dollars for the request, or the inventory of the requested item. BizRules runs during AccessCheck calls and runs in the context of the web application within the thread of the AccessCheck. If BizRule returns success information, the user will receive the request operation associated with the task. If BizRule fails, the client is not allowed to perform operations associated with the task. These users may also perform these operations through a separate task. Parameters are passed to BizRule via AccessCheck, which uses the name and value array as a parameter. For example, the first element in the VarparameterNames array is the name of the first element corresponding to the VarparameterValues ​​array. The name arrament of the BizRule parameter must be sorted accordingly so that the name and value have the same index.

An application license policy can have multiple tasks. Each task can have associated Bizru, or no. Application administrators can also add new tasks and bizrule. In the design phase, the application developers don't know if they need to specify the BizRule parameter (because the call to AccessCheck is not necessarily used to use BizRule), the application must send these parameters that BizRule may need. For the convenience of BizRule developers, the application must define and publish the BizRule parameter set sent to each AccessCheck call.

AccessCheck should be used as a data type sent by the BizRule parameter including information such as user names and restrictions. Restrictions may include the following: limits, accounts, or ID numbers, or one user manager. Any data that may be used to determine if it is granted to access permission at runtime can be used in each AccessCheck call, and must be included in the list of published BizRules parameters.

BizRules requires users to have some scripting knowledge, so it is not suitable for most administrators to create and modify. Typically, BizRules should be developed and provided with the application, or by application vendors, or develop by other developers later. Since BizRule in each run calls Windows Script Engine (Windows Script Engine), BizRule should belong to a small task, such as a given parameter or query the database.

Sample bizrule

Below is a BizRule written to JScript, here with a 24-hour clock to ensure that it is between 9:00 and 17:00 daily:

AzbizruleContext.businessRuleResult = false; dt = new date ();

Hour = DT.GETHOURS ();

IF (Hour> 9 && Hour <17)

{

AzbizruleContext.businessRuleResult = TRUE;

}

In order to provide the performance of the frequently called BizRule, the life of the BizRule's call results are buffered for the life of the client. Because of this, BizRule is sensitive to time, as mentioned above. The application buffer the client on the apparatus to properly shorten the amount of time.

Below is a Microsoft Visual Basic Scripting Edition (VBScript) BizRule, which guarantees that the value of parameters called Expamount is less than 500:

DIM AMOUNT

AzbizruleContext.businessRuleResult = FALSE

Amount = azbizruleContext.getParameter ("Expamount")

If Amount <500 Ten AzbizruleContext.businessRulesult = TRUE

When BizRule references a parameter, AccessCheck will be a specific BizRule, buffer parameters, values, and results of the client's context life. In this way, when the AccessCheck is called for the same client, the same BizRule is referenced by the same value, the performance can be improved. This means that if only the result of BizRule can only change the result of the BizRule parameter (as the BizRule as described above), the buffered value may be incorrect. Based on this reason, the application using BizRule must periodically release the client context.

Initial role

Some applications have a small amount of hard coding roles, such as administrator, readers, and authors. These applications need to call the Authorization Manager API when starting to create these initial roles.

Determine the scope

The Authorization Manager action domain object is a collection of resources, which can be either a simple set (such as: c: / my documents) or a more abstract collection (eg *. Doc). The application must consider what logic will use to determine the scope. The scope gives applications with great flexibility in applying different access controls to different resources. The form of the collection can be changed accordingly based on what application being controlled accessed. For example, if the application performs actions on other computers, the scope can represent the collection of computer objects and name it as a "computer in the sales department" or "Computer running Windows XP". The only requirement is that the application must be able to map user requests accessed to a resource to a scope that contains the resource.

In addition to the logical resource collection, the scope also provides a significant flexibility to the application, such as incorporating the "Work On Behalf" feature into the application. The "Work on Behalf" feature allows a user to authorize other users to work in his name. For example, assume that Bob wants James to work in his name. In the application, you can implement: Create a scope for Bob, defining a role in this scope to specify a subset of the permissions of Bob and allow James to use this subset. (James is assigned to this role.) When James is connected by BOB and requests permission to execute an action, the AccessCheck operation is performed, this operation uses the Bob Work on Behalf scope to verify whether JAMES has The name of BOB executes the permissions of these operations. Since the scope is defined by each application, and the application maps each access request to the appropriate scope, the application should provide the document so that the administrator knows how to create a naming correct range.

installation

When installing an application, the authorization policy information is installed into a new or existing authorized repository by calling the Authorization Manager API. If the application installs an authorization policy in an existing repository, the installation process should provide a way to perform the installed user to specify the location of the existing repository. After initializing the Authorized Policy Repository, the installer uses the createApplication method to create an application object in the policy repository. Then, for each operation, the installer calls the CreateOperation method. The initial tasks, the scopes and characters are installed with CreateTask, CreateScope, and Createrole methods, respectively. The following VBScript creates a repository for a simple expense application and installs the authorization policy.

'--- Initialize the Admin Manager Object

Dim PazmanStore

Set PazmanStore = CreateObject ("Azroles.azauthorizationStore)

'--- Create A New Store for Expense App

'0 = Open Store for Access Checking.

'AZ_AZSTORE_FLAG_CREATE = 0x1,

'AZ_AZSTORE_FLAG_MANAGE_STORE_ONLY = 0x2, // Cannot Do Access

CHECKING.

'AZ_AZSTORE_FLAG_BATCH_UPDATE = 0x4,

PazmanStore.Initialize 1 2 4, "MSXML: // C: /azpolicy.xml"

PazmanStore.submit

DIM App1

Set app1 = pazmanStore.createApplication ("expense")

App1.submit

'--- Create Operations -----------------------

DIM OP1

Set op1 = app1.createOperation ("Retrieveform")

Op1.operationid = CLNG (61)

Op1.submit

Set op1 = app1.createOperation ("enqueequest")

Op1.operationID = CLNG (62)

Op1.submit

Set op1 = app1.createOperation ("devuerequest") op1.operationID = CLNG (63)

Op1.submit

Set op1 = app1.createOperation ("useformcotnrol")

Op1.operationID = CLNG (64)

Op1.submit

Set op1 = app1.createOperation ("markformapproved")

Op1.operationid = clng (65)

Op1.submit

Set op1 = app1.createOperation ("SendApproValNotify")

Op1.operationid = clng (66)

Op1.submit

'--- Create Tasks --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

DIM Task1

Set task1 = app1.createtask ("Submit Expense")

Task1.addoperation CSTR ("Retrieveform")

Task1.addoperation cstr ("enquerequest")

Task1.addoperation CSTR ("Useformcotnrol")

Task1.submit

Set task2 = app1.createtask ("Approve Expense")

Task2.addoperation cstr ("markformapproved")

Task2.addoperation cstr ("SendApprovalNotify))

Task2.addoperation cstr ("dequeequest")

Task2.bizruleLanguage = CSTR ("VBScript")

Task2.bizrule = "Dim Amount" & Vbnewline & _

"AzbizruleContext.businessRulesult = FALSE" & VBNewline & _

"Amount = AzbizruleContext.getParameter (" & Chr (34) & _

"Amount" & chr (34) & ")" & vbnewline & _

"if Amount <500 Then Azbizrulecontext.businessRuleResult =

True "

Task2.submit

'--- Create Role Definitions ------------------------------

Set task3 = app1.createtask ("extribense admin")

Task3.addtask CSTR ("Approve Expense")

Task3.addtask CSTR ("Submit Expense")

Task3.IsRoledefinition = TRUE

Task3.submit

Set task4 = app1.createtask ("eXpense user")

Task4.addtask CSTR ("Submit Expense")

Task4.isroledefinition = trueTask4.submit

'--- Create Initial Scopes and Roles ------------------------------

'--- Only One Scope In this app (We May Instead Choose To Use No Scope)

DIM scope1

Set scope1 = app1.createscope ("allRoutines")

Scope1.submit

Set rolea = scope1.createrole ("Expense Administrator")

Rolea.addtask ("extribense admin")

Rolea.submit

Set roleb = scope1.createrole ("eXpense User")

Roleb.addtask ("Expense User")

Roleb.submit

'--- Demo - Add Every to Expenseuser Role --------------------------

Roleb.addmembername ("Everyone")

Roleb.submit

Application model

Use the Authorization Manager app to use the trusted subsystem application model. Please note that these two models mean a completely different application design, based on trade-off, a specific application may choose to use a hybrid model, which contains a trusted subsystem intermediate layer design and uses role simulation ( Impersonation to maintain the rear end audit, or connect the old backend resource manager.

Role simulation model

Windows 2000 and earlier versions of Windows NT Server support Windows NT role simulation model. In this model, the server application gets a token from the connected client and simulates the client token before attempting to perform a secure operation (for example, open a file). The ACL in this file will be compared to the user token group to determine if the user has permission to open the file. The Windows Server 2003 family has enhanced support for role simulation models through the Kerberos extension and enforcement of protocol conversion.

Trusted subsystem application model

Authorization Manager adds support for a new trusted subsystem application model in the Windows security infrastructure.

Figure 5: Role simulation model and trusted subsystem model view full size picture.

In a trusted subsystem model, the application server account has sufficient access, so it uses all the operations that open to the client. If a client requests an operation, the intermediate application server will authorize the client request based on the authorization policy specific to the application. If the client has permission to perform the requested operation, the server will perform this operation with the name of the client. In this model, the client does not need to directly access resources. The role simulation model is very powerful, which can be applied in many cases, and the trusted subsystem model has some advantages that the role simulation model is not available.

authority management

In the role simulation model, each client user account is used to access backend resources, so it is necessary to maintain DACL of all resources by granting access to each user's appropriate level. When the number of resources separately increases, especially when they are stored in a separate backend computer, the management of DACL becomes heavy. For example, you might organize resource organizations into units protected by the same way, such as in a subtree in a subtree in a subtree, or to organize the user into a group with similar permissions. In a trusted subsystem model, only the intermediate service account is used to access backend resources; therefore, DACL can be simplified by just granting sufficient access to this service account. The service account should not have full control permissions or local administrators, but it must have sufficient permissions to perform the entire operation of the application. Application designers can document the privilege level required by the application in backend resources. This reduces the management of DACL because only the service account needs to access them. The service has access to the right to access the resource, so you must trust the service will not accidentally let a user access another user resources.

Permission extraction

In the role simulation model, it is difficult to authorize the user's execution of advanced tasks by distributing DACL into the resource. Advanced tasks (such as submit expenses or query list) may need to perform several operations on backend resources. Permissions extraction is to accurately determine which low-level resource privileges requires the advanced application operations. This may be very time-consuming, especially in the case of using many protected resources.

In practice, sometimes in order to save time, the administrator will grant too much access. The trusted subsystem application model allows the administrator to only grant access to service account access. Since only allows the service account to access the resource, determine the correct access to relatively easy: Usually the server will give all the operations that may be needed to execute server applications (defined by application designers). The administrator does not need to define and maintain permissions in DACL.

connection pool

Typically, better scalability can be achieved by using the connection pool. Since the role simulation model maintains the user context by requesting the resource server, each user request usually needs to be independently connected to the resource server. If you create a connection for each client, you can avoid reuse a connection to connect to the resource server, such as an SQL database. A trusted subsystem server application authorizes the client's request, and accesses the remote resource for the client in the context of the application service account. Since there is no need to establish a new connection, the application server can use the same to the resource server to serve the request from different clients.

Controlled access point

Some applications enforce the rules and workflows in the application server. In the role simulation model, each client gets appropriate access to each resource. Since the client has permissions that directly access the resource, they can be accessed by a way, rather than accessible by an application with a specific purpose, as this approach causes unexpected access and operation of the resource.

In a trusted subsystem, only the application service account has access to resources. This means that users cannot access access to resources directly through a tool or API. Under this model, the application server is more controlled to how users view and manipulate resources.

Review

The audit allows the administrator to determine which users try to get access to specific resources. If the audit is generated by the same application that manages these resources, it has the greatest authority. The role simulation model is to determine which users try to access specific resources by maintaining user contexts when the user requests access to each system. This allows the remote system to record users and the requested access.

When you use a trusted subsystem application model, the backend resource manager generates an audit, which records the server's service account as an account requested to be accessed, not the client user who performs operations in its name. When performing access authentication (in other words, when calling the AccessCheck API), Authorization Manager provides a runtime review, but these audits are generated on the application server. Because of this, you want to map the access audit on the backend resource to the requesting user, requiring the audit log on the application server to associate with the backend audit. In the Application Server, you can know more information about the advanced task of the client is requested, so a larger degree user intent can be recorded in the audit. In the backend resource manager, you can only review the low operation request, so it is more difficult to determine that users more advanced activities may be more difficult. Other differences

In the role simulation model, the service account running the application server may rarely or has no access to resources. In order to access resources in the name of the client, the application server must simulate the client security context. When the client is connected to the application server, the application server can get the secure context of the client. If you limit the permissions of the server context, when a threat to the server succeeds, access to the server will be limited to the connected client. If an attacker wants to get a high degree of access to backend data, they must threaten the server and wait for the user to connect. As a user is connected to a threatened server, the attacker's access rights will grow proportionally with the permissions of the connected users. If an account with high privilege is logged in to this server, the attacker has also gained access to these resources because they have the ability to simulate the client to access these resources.

A trusted subsystem server has a high degree of access to the application resource, so if the server is threatened, the attacker gets highly access to these resources. However, because the client will not be simulated, the attacker is limited to access access service context (the application's resources). Attackers have obtained high access to application resources, but they are not accessible to non-application resources.

Back to top

Development Authorization Manager application

The server application uses the Authorization Manager runtime interface to manage the connection of the authorization policy storage and verify the client request.

initialization

When the application is running, it uses the IAZAUTHORIZATIONSTORE :: Initialize interface to initialize the Authorization Manager policy repository. The application must have read permissions on the authorized repository, but there is no need to have write permissions. After connecting to the repository, the application calls IAZApplication :: Initialize to initialize an interface to the specific application in the policy repository.

Client connection

When a client is connected to the application, you must create an Authorization Manager context for the user. You can use IAZApplication :: IntiializeClientContextFromToken, IAZApplication :: AzinitializeClientContextFromstringsID or IAZAPPLICATION :: InitializeClientContextFromName method to be created. Usually if there is a token available, you can use the token to create the context. The token is usually a Windows login result that contains login information (for example, whether it is interactive login or network login). Creating a context through a token is usually faster because it does not need to query the domain controller for gain information. In a few cases, it is possible to provide role allocation based on these login features, so if you can, use the InitializeClientContext API in the FROMTOKEN. For example, if a user logs in to the network in an interaction, the NT Authority / Interactive group will be added in the generated token. Using the initializeClientContextFromName (or SID) method, you can create an IAZCLIENTCONTEXT object by finding a user group allocated in Active Directory. Since the user has not logged in, the context does not contain some groups, including the NT Authority / Interactive group identifies the login type. In this case, if a member in a group or role is given in an interactive group, the user context created by INITIALIZECLIENTEXTEXTFROMNAME will not receive the member. It is recommended that you do not use these login feature groups to secure resources or specify members in group or roles so that INITIALIZECLIENTCONTextFromName and InitializeClientContextFromsid methods are used. AzinitializeClientContextfromstringsid method creates an Authorization Manager context from a given SID in text format. It is similar to the method of the initializeclientContextFromName method. If the AZ_CLIENT_CONTEXT_SKIP_GROUP tag is used, the AzinitializeClientContextFromStringsID method is not able to try to determine a group member for a given SID. The above-mentioned client context contains only a specific SID. If the IAZAccessCheck method is called from this client's context instance, only the role member is only authorized when this particular SID is used as a member of a role or a member assigned to a role.

Role inquiry and authorization

After creating a client context, the application can query the role information related to the user to present the user interface according to the user role member. For example, a web-based application can presen a user user interface to a user who acts as a manager role, and returns other people as an employee role. The IAZCLIENTCONText :: Gtroles method lists the user role members. The role set returned by Gtroles is only based on explicit member assignments; getRoles does not assess BizRules.

When the user generates a request, the application maps the request to the desired operation and determines which mode of the user generates requests. The application is then called AccessCheck to send this scope, the requested operation, BizRule parameter, and object name. This scope can determine a user role member, and by the user role member to determine if the user access is granted.

Back to top

performance

The performance of application initialization and access verification is different from the application of the application such as XML storage, BizRules, and LDAP query groups. There are several ways to app designers to consider to meet performance requirements. Application initialization performance

When you use the Active Directory repository instead of using the XML Authorization Manager storage provider, the load time of the large repository will be improved. When an application initializes a connection to the Authorization Manager policy repository, the authorization policy is loaded into the address space of the application. The number of strategies loaded depends on the storage type.

• The Active Directory Authorization Manager policy repository allows you to load or uninstall the Authorization Manager application object as needed, and allow you to load the Authorization Manager scope object only when you need it. (To get more information, see "Active Directory Authorization Manager Store" in the previous article.) • The XML Authorization Manager storage provider loads the entire license policy into memory.

In addition, the time spent in the initialization increases with the number of objects in the Authorization Manager policy storage, or increases with the number of members in the Authorization Manager application's basic group. To minimize the capacity of the application group, use the Active Directory group policy in the case of conditions allowed, and then use these Active Directory groups in the Authorization Manager application group or role.

AccessCheck performance

The Authorization Manager AccessCheck method provides a flexible way to optimize performance of BizRules and LDAP query groups.

AccessCheck method:

1. Identify the scope of the application to the AccessCheck routine, which can be the routine in the scope, or the routine in the global scope. 2. Role set in the scope in step 1 is listed. 3. Discards roles do not involve the requested operation. If roleforaccessCheck is specified, the characters other than these specified roles will be discarded. 4. Check the client security context member qualification in each role. 5. If this client is a member of the role in step 4, AccessCheck records all request operations assigned to the role when authorization. 6. To apply each role in the action domain, perform steps 3 through 5 repeatedly.

The above logic is up to three times.

1. In the first pass, AccessCheck ignores all tasks including BizRules and all applications that contain LDAP queries. BizRules and LDAP queries require a long time and require network operation, so the first time is carried out without the need for the above tasks and groups. 2. In the second pass, AccessCheck processes BizRules, but still ignores the LDAP query group. Assuming that BizRules is simple, it does not include network operations, so they may be faster than LDAP queries when processing. 3. Thirdly pass all data, including the LDAP query, which uses the result of buffering during the previous iteration. AccessCheck is terminated at the time of authorization to access all requests.

Since optimization of AccessCheck is used to evaluate static membership, then evaluate dynamic member qualifications, and first evaluate the task without BizRules, then evaluate the task with BizRules, where you can use static allocation to optimize performance.

The Authorization Manager application group is evaluated until you call AccessCheck and query member qualifications in a role. (The process of this group evaluation is also known as Late-Bound.) For the LDAP query application group, once a user is qualified for a user, the user membership in the LDAP query group will be for the user context. The life of the object is buffered. Because of this, the AccessCheck calls that include group assessments will accelerate because group membership has been parsed and buffered. As best practices, BizRules must be calculated to maintain a smaller value. In AccessCheck calls, BizRules provides maximum flexibility, so minimizing performance. The network will make BizRules to reduce the performance of AccessCheck. This is usually inevitable, for example, if you need to query the database to verify the review history, this query will delay the result of returning to the user.

Back to top

Environmentally-specific design matters

Authorization Manager is designed for use with trusted subsystem applications, where access is completed in the server's context, and the ACL in the back-end server resource only needs to grant application server service account access. (To learn more, see "Trusted Subsystem Application Model" in front of this article.) In order to use trusted subsystem models, the usual application server will run in the context of a dedicated service account. Since the application needs to read the Authorization policy information from the Authorization Manager policy repository, the security context of running the application requires read permissions for the repository. You can implement this: indicating that this dedicated service account is the reader of the Authorization Manager policy repository. These operations can be done through the Authorization Manager MMC (Microsoft Management Console, Microsoft Management Console).

If you use a role simulation in your application, you cannot simulate the client when calling the Authorization Manager API. The only exception is when you want to initialize a client from the simulated thread context. In this case, IAZApplication :: InitializeClientContextFromToken method is called and 0 as a UllTokenHandle parameter. Other Authorization Manager interface read the Authorization Manager Authorization Policy Repository (including user role information), and the IAZAPPLICATIN :: AccessCheck function runs bizrules and parsing the LDAP query group. Since the user needs to have a high degree of access to read the authorization policy and execute the BizRule script operation, you cannot call these functions when you simulate the security context of the user. Each Windows programming environment provides you with different options for managing role simulations and calls Authorization Manager from the service account from the application.

ASP.NET

The application server written in the ASP.NET can use the Authorization Manager API with .NET Interop included in the / Authman catalog in the .NET framework. In order to create a trusted subsystem model in ASP.NET, you need to run the application server under a service account. In order to configure your ASP.NET application, you can run under a service account, you need to create a separate IIS 6.0 Worker Process (Worker Process), which runs the security created for the application server. The context. Then configure your ASP.NET application to enable it to use this dedicated IIS worker process. To learn more about the IIS 6.0 worker process, see the Microsoft Internet Information page in the Microsoft Web site: http://www.microsoft.com/technet/Prodtechnol/Windows2000serve/technologies/iis/default. MSPX. Another option is to use ASP.NET to configure the context of running applications, apply the web.config file to your ASP.NET application. In this case, you must configure the ASP.NET application to make it run as a dedicated service account. Your ASP.NET application calls AzauthorizationStore.Initialize when initialization is connected to the Authorization Manager repository and then calls Azapplication.Initialize to load the initial percentage of the application authorization policy.

At runtime, if you have a client established a connection, you can create a user context from the client's account name or from the token representing the client. This token can be retrieved in the ASP.NET through the ASP.NET HTTPWORKERREQUEST object. Authorization Manager can also initialize a context from a client SID, although this approach is not always available in ASP or ASP.NET. It is recommended that you if possible, you should initialize the Authorization Manager context from a token because you do not need to query the user account object when you initialize a token. This may need to query Active Directory through the network.

The following code calls the Authorization Manager API through the ASP.NET, using a .NET Interop collection to approve an expense approve. These codes are a simple web expenditure application that runs under a dedicated service account. The Authorization Manager policy repository for this application can be created by the VBScript installation script mentioned earlier in this article.

<% @ Page language = "c #" debug = "true"%>

<% @ Ask.Interop.security.azroles "%>

<% @ Import namespace = "Microsoft.Iterop.security.azroles"%>

<% @ Import namespace = "system.Runtime.InterOpServices"%>

<%

Microsoft.Interop.Security.Azroles.azauthorizationStoreClassazmanStore =

New

Microsoft.Interop.Security.Azroles.azauthorizationStoreClass ();

// Keep The Authorization Store in A Safe Place Out of the Web

Space.

AzmanStore.Initialize (0,

@ "msxml: // d: /securedir/mywebappsazstore.xml",

NULL);

IAZApplication Azapp =

AzmanStore.OpenApplication ("Expense", NULL;

Handleref token = new handleref (this, (httpWorkerRequest)

(IServiceProvider) Context .getService (TypeOf (httpWorkerRequest)))). Getu

SERTOKEN ());

// -------------- Create Client Context --------------

IAZCLIENTCONTEXT CONTEXT =

Azapp.initializationClientContextFromToken

(Uint64) token.handle,

0);

Object [] scope = new object [1];

SCOPE [0] = ""

Object [] Operations = New Object [1];

Operations [0] = 55;

// --------------- DO Access Check --------------------

// set up bizrule params. To Optimize Performance, Name / Value PaiRs MUST

// be Placed in Array Alphabetically

Object [] BRNAMES = New Object [1];

BRNAMES [0] = "expamount";

Object [] brvalues ​​= new object [1];

Brvalues ​​[0] = Convert.Toint32 (Request.QueryString ["Amount"]);

Object [] results = (Object []) Context.accessCheck ("approve",

SCOPE,

Operations,

BRNAMES,

Brvalues,

Null, NULL, NULL

Bool bauthorized = true;

Foreach (int IRESCode in Results)

{

IF (Irescode! = 0) // ZERO = No Error

{

Bauthorized = false;

Break;

}

}

Response.write (String) Context.usersAmCompat "
");

Response.write

"Approval of" Convert.TOString (BrVALUES [0]) "WAS");

IF (bauthorized) {

%> Denied . <%

}

%>

ASP

Applications using Authorization Manager usually use trusted subsystem models. The context of each connected client is simulated by designing, an IIS Application Service Provider (ASP) application simulates the context of each connected client. In order to use trusted subsystem models in ASP, you have two options:

Select 1: Authorize and simulate the web expense service account using the Internet Information Services 6.0 URL and simulates the web expense service account.

Create a standalone IIS 6.0 worker process running on security context created for ASP applications. This will run an instance of IIS and ASP under a dedicated service account for this ASP application. Under normal circumstances, the ASP application is running in analog authorized users. IIS 6.0 URL Authorization allows you to configure the ASP application to run in the context of the IIS worker process. Since you have established an IIS worker process and run under the application service account, we can use IIS 6.0 URL to authorize the ASP application in that security context. IIS integration licenses still verify the client, but it does not simulates the client, but authorized by IIS 6.0 URL to make ASP applications run under the service account. If a client establishes a connection and authenticated by IIS, you can use the ASP server variable auth_user to retrieve the authorization name of the client and call Azapplication.initializeClientContextFromName to create an Authorization Manager context for the client. To learn more about the IIS 6.0 URL license, please refer to "IIS 6.0 URL Authorization" later in this article.

The following code is an ASP application that uses Authorization Manager to verify the expenditure approval. This code assumes that the ASP application simulates a specialized service account instead of simulating the client security context. As mentioned above, the application is set to analog IIS worker processes using IIS 6.0 URL.

<% @ Language = "VBScript"%>

<%

DIM CCHANDLE

DIM RESULTS

DIM Names (5)

DIM VALUES (5)

DIM Scopes (5)

DIM Operations (10)

Dim azmanstore

DIM APP

DIM Username

Set azmanstore = createObject ("azroles.azauthorizationstore")

'Set myuser = session.getObject ("ldap")

UserName = Request.serverVariables ("logon_user")

AzmanStore.Initialize 0,

"msxml: // d: /inetpub/wwwroot/mywebappsazstore.xml" set app = azmanstore.OpenApplication ("Expense")

'--------------- Create Client Context --------------

Set cchandle = app.initializeclientContextFromName (username)

'--------------- DO Access Check --------------------

'Set up bizrule params. To Optimize Performance, Name / Value PaiRs Must

Bo

'Placesd in Array Alphabetically

Names (0) = "expamount"

VALUES (0) = 0

Names (1) = "Param2 for bizrule - NAME"

VALUES (1) = "param2 for bizrule - value"

Scopes (0) = EMPTY

Operations (0) = 55

IF LEN ("Amount")> 9 THEN

Response.write "Amount Field Is Too Long, please try again."

Else

Set reg = new regexp

Reg.pattern = "/ d " 'Look for Something Other Than 0-9'.

If reg.test (Request.QueryString ("Amount")) = false kil

VALUES (0) = clng (Request.QueryString ("Amount"))

'-------- AccessCheck -------------------------------------- -

Results = cchandle.accessCheck ("Approve",

Scopes, Operations, Names, VALUES

If Results (0) = 0 THEN 'ZERO = NO_ERROR

Response.write "Approval of" & Values ​​(0) & "Was Accepted."

Else

Response.write "Approval of" & Values ​​(0) & "Was Denied."

END IF

'------------------------------------- -------------

Else

Response.write "Must Enter Number, please try again"

END IF

END IF

Set cchandle = Nothing

Set app = Nothing

Set azmanstore = Nothing

%>

Select 2: Create a custom COM object and interface to control the role simulation.

Create a custom COM object that allows you to control role simulations via an ASP application. After this, establish an IIS work process to run it in a service account (as described above), and use this custom COM object to call the REVERTTOSELF API, and return to the IIS Worker Process Context (ASP application service account). Next, call the ImperSonateSelf API to simulate the context of the IIS worker process. (ASP needs to run the application under the role simulation.) Save the client token in this step because it will be used later. By simulating the IIS worker process from a custom COM object, you can call the Authorization Manager API to initialize the Authorization Manager Policy Repository and the ASP application service account (the security context you want to use by the worker process you are configured) Authorization Manager application. The process of initializing the Authorization Manager policy storage and application objects is only performed when the ASP application is initialized.

When a client request is generated, you must create an Authorization Manager client that uses it to verify the access rights of the client. To create such a client context, you can use the ASP server variable auth_user to get the client's user name and call Azapplication.initializeClientContextFromName. But you can choose to create a client context with your login token by custom COM object. You can do this: An function is disclosed in your custom COM object, use it to retrieve your token in front, and call the ImpersonateLoggedonuser API to simulate the secure context of the client. Then, use the AzApplication.initializeClientContextFromToken method for parameters (0,0) to create the Authorization Manager client, which can create the Authorization Manager context from the current thread token. Since you are simulating the client, the current thread token represents the client, and the Authorization Manager client created by the token can also represent the client. Once completed, use your custom COM object to simulate the ASP application service account again, as described above.

This way is feasible because we call Azapplication.initializeClientContextFromToken, and the AUTHORIZATION Manager context created by the API is the token originating from the calling thread when you specify value 0 to the token handle. In this case, since we simulate the client user, the Authorization Manager context created will represent the client.

Implement a custom COM interface to manage role analog needs to perform other work, but use a custom COM object to control role simulation, which is good, you can use client tokens reserved in IIS to create the context described. . Use the Azapplication.initializeClientContextFromName interface to query the user account object in Active Directory. It will be better than using the token because the token already contains this information.

C, C and Visual Basic

You can use local C, C or Visual Basic language to control role simulation by calling various context management APIs (such as ImpersonateLoggedonuser, OpenThReadToken or RevertToSelf). In these languages, the application server can be installed as a Windows System service and run under a dedicated account of the service application. When the application is initialized, it first calls AuthorizationStore.Initialize to connect the Authorization Manager policy store and load the information, then call azapplication.initialize to create a COM interface. When a user logs in into the application, it uses any means of the selected to verify the client. If a local Windows authentication mechanism is used, such as: Security Service Provider Interface (SSPI), Distributed Component Object Model, DCOM, Remote Procedure Call, RPC) or Named Pipes, then the application server uses the token generated, and create an Authorization Manager context with one of the following two methods:

• Use the appropriate role analog API to simulate clients, such as IMPERSONAMEDPIPIPECLIENT or IMPERSONATECURITYCONTEXT in SSPI, and call IAZApplication :: InitializeClientContextFromToken, specify 0 as the handle value of the token. • Query the client's token handle, such as QueryContextAttribute in SSPI, and use the handle during the call to IAZApplication :: InitializeClientContextFromToken.

If you use a non-local Windows authentication mechanism, the application can map the validated client to a Windows account, then use the IAZApplication :: InitializeClientContextFromName API, specify a name for the client mapped to the client after the verification is complete.

Back to top

Internet Information Services 6.0 URL Authorization

The Internet Information Services (IIS) 6.0 integrating the Windows Server 2003 family is integrated, enabling the IIS 6.0 URL authorization to provide the application administrator's ability to access the URL. This capability is based on custom user roles, LDAP queries, and bizrules are implemented.

Authorized users access a number of DACLs in the resources used in IIS to manage the resources used by the web application. Resources for web applications may include web page files, database records, registration code, and more. Administrator If you want to maintain DACL, you need to accurately know what bachelline that needs to perform meaningful tasks in the web application. IIS 6.0 URL Authorization allows administrators to simplify access management by authorizing users to access URLs that make up a web application. When a user requests a URL, IIS 6.0 URL authorization will verify the user's access rights based on the user role. This allows the administrator to control all access to the URL instead of controlling each DACL on each object, simplifies access control management. Web applications can use Authorization Manager role-based framework to further limit access to resources. IIS 6.0 URL is implemented as an ISAPI IntercePtor.dll, configured to extension of an application, virtual directory, or URL. When an application, a virtual directory, or URL is configured to authorize the IIS 6.0 URL, each request for the URL is routed to the URL authorized ISAPI interceptor (Interceptor). IIS 6.0 URL Authorized ISAPI interceptors use Authorization Manager to authorize access to the requested URL. To achieve this, the URL (application, virtual directory, or single URL) must be associated with an Authorization Manager policy store with an authorization policy that contains the URL. Once the client is authorized to access the URL, IIS 6.0 URL Authorization ISAPI passes the request to the appropriate handler of the URL, such as ASP, ASP.NET ISAPI, or a static file handler.

Figure 6: IIS URL authorization. View full size picture.

Using IIS 6.0 URL authorization, administrators can control access URLs based on information available only when runtime. For example, you have a web page that is only visible to an employee in a given cost center, or an employee of a particular age, then you can check according to the LDAP query (which is used to check the cost center attribute of the user object or Age properties), assign roles to the correct user. If an employee can only access a specific page in a certain day, or in a certain period of time, you can create a bizru, depending on these values ​​or any value that can be declared at runtime (including IIS server variables) ) To authorize access to the URL.

Set IIS 6.0 URL Authorization

To use IIS 6.0 URL license, you can set the Metabase property in the application, virtual directory, or URL:

• Azenable: Enables URL authorization to enable the virtual directory, application, or URL corresponding to the entry in Metabase. • AzstoreName: Allows the Authorization Manager repository to associate with virtual directories, applications, or URLs. • AzsCopename: Enables virtual directories, applications, or URLs associated with the scope. This scope is the name of the scope within the IIS 6.0 URL authorized application in the AzstoreName property referenced. If it specifies an empty string, or does not specify a scope at all, use the IIS 6.0 URL authorized default scope. • AzimPersonationLevel: The role simulation behavior of the application can be determined. This allows you to configure the web application to simulate the iUser_ * account of the client user, IIS worker process, or worker process. Each setting greatly changes the environment and implicit design of the web application. This value is set to 0, 1 or 2 to correspond to the predicted role simulation. 0: Simulate the authorization client. Some applications require client role simulations such as ASP 2.0 applications. For applications that are expected to run while simulating clients (such as ASP 2.0 applications), you can use this value if you want to use URL license. 1: Simulate the IIS worker process. Use this value when the application runs as a service account in a trusted service context, authorize each client request itself and execution of the request. For more information, see the "Trusted Subsystem Application Model" in front of this article. 2: Simulate anonymous user account. This allows you to use the URL authorization to authorize the client to run the web application as an anonymous account while accessing the URL to restrict all client access through the web application. The following scripts use ADSI to set these properties for IIS Metabase for applications, virtual directories, or URLs.

'Seturlauth.vbs

'Configuring Urlauth with a vdir.

'This Script Uses adsi to configure a vdir in The IIS 6.0 Metabase.

TO USE

'IIS 6.0 URL Authorization.

'

'This script assumes what the the IIS vdir corresponding to the

Application HAS

'Already Been Created.

'

'After Running this script to verify the settings, use the adsutil

Tool Like So

'

'Inetpub / Adminscripts / AdsuTil Enum W3SVC / 1 / ROOT / MyApp

'(Where myapp is the app name)

'Use the authorization manager mmc snap-in to do the folload:

'Create An Application Called "IIS 6.0 URL Authorization"

'Create An Operation Called "AccessURL" with an Operation ID OF 1

'Create a Scope Corresponding to the azscopename specified to thisscript.

'This scope name will be used to manage access to urls in this

VDIR

'Make Sure That The Iis Worker Process Has Read Access To The THE

'Azman policy store. You can do this using the azman ui (Right

click

'Store and Select Options and The Security Tab

Set objargs = wscript.arguments

IF Objargs.count <4 THEN

Wscript.echo "Usage: seturlauth vdirpath azscopename azstorename azenable

[ImpersonationLevel] "

WScript.echo ""

WScript.echo "Example:"

WScript.echo "SETURLATH W3SVC / 1 / ROOT / MyApp MyApp

Msxml: // d: /inetpub/wwwroot/azstore.xml True 1 "

WScript.echo ""

WScript.echo "Run with 'CScript' Command in Cmd.exe to Avoid MSG

Boxes "

Else

WScript.echo Objargs (0)

'

'Get interface to the vdir object

'

DIM IIS

Set IIS = getObject ("IIS: // localhost /" & objargs (0))

'Set Scope Name - this Scope Will Preside over Urls Referring to this vdir

'This Scope Must EXIST in The Corresponding Authorization Manager Store.

'

Iis.azscopename = Objargs (1)

'

'Specify Location Of Authorization Manager Policy Store

'

Iis.azstorename = Objargs (2)

'

'Enable Urlauth for this vdir

'

Iis.AZENABLE = Objargs (3)

'

'Set Impersonation Level

'

IF Objargs.count> 4 THEN

Iis.azimpersonationLevel = Objargs (4)

END IF

'

'Write Settings to Metabase

'

Iis.setInfo

END IF

When requested a web page, the URL authorization will authorize the client according to the Authorization Manager authorization policy (if the client is allowed to access the URL). If you want to configure security context through AzimPersonationLevel, you need the correct IIS directory security and NTFS permissions. With IIS URL authorization, you can use trusted subsystem models to easily maintain NTFS permissions. For more information, see the "Trusted Subsystem Application Model" in front of this article. When configuring IIS 6.0 URL license, you can identify the Authorization Manager policy repository for your application, virtual directory, or URL through the AZStoreName property in the IIS Metabase entry. To manage the authorization policy, you can follow the steps:

1. Click the "Start" button, click "Run", type azman.msc, and press Enter. 2. In the console tree, right-click Authorization Manager, and then click "Open Authorization Storage". 3. In the repository name, type the path to the location of the authorized repository, which is identified by the AzstoreName property, and then click OK.

To get more information about opening an authorized repository, see the Authorization Manager MMC Help in the Authorization Repository and Application chapter.

The IIS 6.0 URL of the repository authorized by IIS 6.0 URL Authorization application. The AzsCopename property in the Metabase is managed in the IIS 6.0 URL Authorization application. This scope can be used to manage access to the corresponding URL. When configuring an application, you must create the same scope as the name specified in the AzsCopename property of the corresponding garace entries in the Authorization Policy Storage.

The authorization policy repository with the Authorization Manager MMC shown below can be used to manage access to Web Expense applications and Web Application 2. This storage also includes an authorization policy for these applications.

Figure 7: Managed the Authorization Manager for two web applications View full size pictures.

IIS 6.0 URL authorized authorization policy stores in the Authorization Manager policy repository for Active Directory or .xml files. With IIS 6.0 URL authorization, you can maintain the license policy of the URL as the Web application that uses Authorization Manager to control access to application tasks and operations. By maintaining the authorization policy in the same storage, administrators can manage access to the URL and web application resources from the same Authorization Manager MMC or custom user interface. This provides a generic access point for managing URLs and applications, and in this way, the LDAP query can be combined with the same Authorization Manager while implanting the role of URL licenses and applications.

Configure IIS 6.0 URL Authorization by step.

The following steps create an IIS 6.0 URL authorization for a web application called WebApp, which is installed in the SystemRoot / InetPub / Wwwroot / WebApp folder and configured as an application in IIS:

Note: URL authorized using IIS URL requires Windows Integration Authentication. IIS Web Applications and Virtual Directory Enable Windows Integration Authentication by default. For information on configuring Windows integration authentication, refer to "Windows Integration Authentication" in Internet Information Services Online Help. Establish IIS: Create your application folder under Default Web Sites and disable anonymous access to this site.

1. Click the Start menu, click Run, type% systemroot% / system32 / inetsrv / Iis.msc, and press Enter. You can also click the Start menu, click Administrative Tools, and then click the Internet Information Services (IIS) manager. 2. In the console tree, double-click "Internet Information Service", double-click the computer name, and double-click "Web Site", then double-click the default Web site, right-click the folder corresponding to your web application, click "characteristics ", And then click" Create ". 3. Click the Directory Security tab and click Edit in "Authorization and Access Control". 4. Confirm that the Enable Anonymous Login check box is not selected, click OK, then click OK again.

Set the wildcard configuration characteristics to make it point to Urlauth.dll

1. Right-click the folder where you created in the Internet Information Services (IIS) manager, click Features, and then click Configure. 2. Click "Insert" in the "Wild Contributor Application Map (Perform Sequence). 3. Click "Browse" in Add / Edit Application Extensions, and select all files (*. *) In File Types. 4. Position to the SystemRoot / System32 / InetSRV folder. 5. Click Urlauth.dll, then click Open, click OK, click OK, and then click OK. If you get an error message "Execute the path has been used", it indicates that urlauth.dll has been configured as a wildcard application extension map.

Add URLAUTH.DLL as a new web service extension

1. In the console tree, double-click Internet Information Services, double-click the computer name, and then click Web Service Extensions. 2. In the Details pane, click Add a New Web Service Extension. 3. Click Add, click "Browse", locate the systemroot / system32 / inetsrv /, click Urlauth.dll, click Open, and then click OK. 4. Type the URL authorization in the extension. 5. Check "Set the Extension Status to Allow" check box, and then click OK.

Establish an authorization policy storage in Authorization Manager

1. Click the "Start" button, then click "Run", type "azman.msc" and press Enter. 2. In the console tree, right-click "Authorization Manager" and click Options. 3. Confirm that "Developer Mode" is selected, and then click OK. Now let's create a new repository. For this example, we put the repository in the C: / disc and name it "MyStore.xml". 4. In the console tree, right-click Authorization Manager, and then click New Authorized Repository. 5. Click "XML file" and type C: /MyStore.xml in the Storage Name. 6. (Optional) Type information about this new repository in the Description. 7. Click OK. 8. In the console tree, right-click MyStore.xml and click New Application. 9. Type IIS 6.0 URL Authorization in the Name of New Applications. 10. (Optional) Type information about IIS URL Authorization Usage in "Description". 11. Click OK. 12. In the console tree, double-click Authorization Manager, double-click Authorization Manager, double-click the repository name, double-click "Description", right-click Operation Definition, and then click New Operation Definition. 13. Type AccessURL in the "New Operation Definition" "Name" and type 1 in "Operations". Establish a scope for the application

1. In the console tree, right-click "IIS 6.0 URL Authorization" and click New Scheme. 2. Type WebApp in Name, and then click OK. 3. In the console tree, double-click IIS 6.0 URL Authorization, double-click "Definition", right-click "Role Definition", and then click New Role Definition. This role definition can also be created in a WebApp scope. 4. Type the Viewer in the Name, and then click OK. 5. In the console tree, double-click "Role Definition". 6. In the Details pane, right-click Viewer and click Features. 7. Click the Definition tab, click Add, and then click the Actions tab. 8. Check the AccessURL check box, click OK, then click OK again. 9. In the console tree, go to "IIS 6.0 URL Authorization", then go to "WebApp", right-click "Role Assign", and then click Assign Role. 10. Select the Viewer check box and click OK. 11. In the Details pane, right-click "Role Assign" you created in front, then click Assign Windows Users and Groups. 12. Type your user name in "Object Name (Example) you want to select" and click OK.

Add the IIS worker process to the "reader" role of the repository

IIS default runs on the Network Service account. You can configure an IIS worker process to run it in another account. For this example, we will add "network service" to the "Reader" role.

Note: If you use a remote authorization repository (for example: Active Directory or a storage-based remote XML file), and running IIS in the default network service context, then the Active Directory account of the web server running IIS must be added to The "Reader" role of the repository. 1. If you haven't opened the Authorization Manager MMC, click Start, click Run, type "Azman.MSC", and press Enter. 2. In the console tree, right-click "Authorization Manager", then click "Open Authorization Storage", click Browse, click C: /MyStore.xml (in this example, it is you Want to use the repository), click OK, then click OK again. 3. In the console tree, right-click the name of the repository and click "Feature". 4. Click the Security tab and click Reader in the Authorization Manager User Role list, then click Add. 5. In the Object Name (Example) "box you want to select, type" Network Services "and click OK, then click OK again.

Configure the IIS library for web applications to use the URL

1. Click Start, click Run, type CMD, then press Enter. 2. Use the scripts provided above to create a setUrlauth.vbs file and save the file in the / inetpub / adminsscripts directory. (INETPUB directory defaults to the root directory of the drive installation IIS.) 3. Type the following command and press Enter. 4. CScript SetUrlAuth.vbs VDirPathAuthMgrScopeNameAuthMgrStoreNameEnabledImpersonationLevel For example, you can type the following: Cscript SetUrlAuth.vbs W3svc / 1 / Root / WebApp WebApp msxml: // C: /MyStore.xml true 1 Now, IIS URL authorization had been configured, and You can run the specified web application. Users in the "Observer" role can be positioned to the page of the application.

Important: If you are using the .xml file, you should add a msxml: // prefix; if you use the Active Directory Authorization Manager repository, you should add the msldap: // prefix.

Back to top

Scene: Web expenditure application

In this scenario, a web-based application uses the following procedure.

1. A user accesses the URL of the expense application and selects Enter a new spending report. 2. The user enters an expense report and submits to be approved. 3. The manager receives an email notification to inform him that a spending report has to be approved. 4. Manager access URL for approval, the latter allows managers to check and approve the spending report or dismiss it. 5. If the manager approves the spending report, the report will be added to a verification queue where there is a verification program to check the report, collect the receipt, marked the expense report as "Approval-Verified" (approved verified ) And request a reimbursement.

Note: To get a sample application using the Authorization Manager, see MicrosoftSdkPath / Samples / Security / Authorization / Azman in Microsoft Platform SDK. To learn more about installing Microsoft Platform SDK, see http://www.microsoft.com/msdownload/platformsdk/sdkupdate/ of Microsoft Web Sites. operating

In the above-mentioned expense application scene, the operation can be defined as:

• EXECUTEEXPENSECONTROLS: Using this control allows users to fill in the expense form. • EXECUTEAPPROVALCONTROLS: Using this control allows users to approve expenses. • RetrieveExpenSeform: Retrieves the requested expense form from the database. • SaveExpenSeform: Save the expense form to your local machine. • EnqueApproval: Place the completed form copy in the approval queue. • DequeApproval: Removes expenses from the approval queue. • SendRequestNotification: Send an email to the manager to request approval. • SendApprovalNotification: Send approved email notifications. • ApprovedeExpedse: Mark the expenditure as "approval" or "reject". • VerifyApproval: Marks the expenditure as "Approval-Verified". • setExpenSelimit: Sets the category of the role that can be approved. • fwdRemBursment: Send a message to the Accounts Payable (payment account). • Readapprovals: Reads the expense form in the approval queue. • Readarchive: Reads a spending form in the approved file.

task

In several expense applications, users may need to use some of the above operations. Using tasks must test each task as an independent requirement without other tasks or operational rights.

In the expense application scene, you can have the following tasks:

• Create a report: Fill in the routine of the expense report. Related operations: ExecuteExpenseControls, RetrieveExpenseform, SaveExpenseform. • Submit the report: Upload the expense report to the undressed status queue and send an email to the manager. Related operations: enqueApproval, SendRequestNotification. • View the report: Displays the routine of the unresolved report. Related operations: [CREATE REPORT] AddApprovalQueue SendNotification. • Approved reports: Promoting the report from an unstressed state to the approval state, send an email to the author and inform the payment system. • Test approval: Mark spending is "Approval-Verified" and forwards the compensation request to the operation you need to Accounts PayAble. Related operations: ExecuteApprovalControls, ApproveExpense, SendApproValNotification, FwdRemBursment. • Audit Report: Allows to read the report in the approve queue and the ReadApproval file • Configuring the upper limit: Allow the settlement limit of the employee and manager (SITEXPENSELIMIT)

BizRules

In the Web Expense application, the Approve Report tasks must be attached to the following BizRule. DIM AMOUNT

BizruleContext.businessRulesult = false

Amount = bizruleContext.getParameter ("Amount")

Limit = bizruleContext.getParameter (Limit)

If Amount

It is necessary to set the above BizRule to the Submit Report task require a given expenditure than the expenditure limit. The application retrieves the AMOUNT parameter from the expense report, and the value of the LIMIT is configured by the administrator of the web expense application.

Important: Each BizRule must set the value of BusinessRumeresult to false immediately. If the code error or environmental problem causes BizRule to end too early, the random data may specify the bizrule result value as TRUE to authorize access.

Role and role definition

For web applications, the following roles are defined during the installation process.

Role Task Submit Report View Report Approved Report Report Remove Report Configuration The upper limit User submits these reports submitted by themselves whether the person is submitted to the direct report by the direct report submitted by the direct report by the direct report. Whether to pay for the expenses, all reports are not

Role Assignments

The role assignment is configured by the web expenditure application administrator after installation. The content of the administrator can use is:

• Users: For all employees of the Windows Active Directory group. • Manager: Check the title and quantity of the direct reporting of the LDAP group. (& (Title = Manager) (NumReports> 0)))))

The Active Directory mode must be extended to support these features on the user object. These features are maintained by a separate human resource application. • Inspection procedures: An application base group lists each user of the inspection expense. • Expenditure Management: The Active Directory group of users in the expense statistics section.

After using one of the above techniques to create an Authorization Manager client, the web expense application calls the AzClientContext.getroles method in the client's upper below interface to determine which roles allocated. This way you can use the client role member qualification to determine which options to show the user.

If the user is in the "Employee" role, the spending control will be displayed, allowing the user to submit expenses. If the user is in the "Manager" role, the display page has another zone, which shows the submitted pending spending form list in this area.

Tight the role name and application logic will cause the administrator to modify difficult, so the application must use an agreement, based on role membership custom expressions. In this example, "Employees" and "Manager" roles are not hard coded into applications. In contrast, the role name corresponds to the HTML file with similar name. In addition, the ApplicationData feature of the Azrole ​​object can also be used to provide expressions information for the application.

When a user clicks a form button to create a new spending report, the web spending application calls AccessCheck to send an operation value corresponding to the ExecuteExpenSecontrols, RetrieveExPenseForm and SaveExpenSeform operations. Do you can prevent restricted users from loading these controls and reducing performance. If this user access control, the control will appear and retrieve the expense form and load it into the control from a SQL storage, so that the user is allowed to enter expense data. After the input is complete, the user clicks the Submit button, the web expenditure application calls AccessCheck, which specifies the operation of submitting a expense need (for example, the number of operass corresponding to the enqueApproval or SendRequestNotification). In addition, as a bizrule parameter calls amount, the number of expenses is sent to AccessCheck. If access is allowed, the expenditure report is uploaded to a SQL queue from the unrequited request, and send an e-mail notification user with a person who has a unresser request. In order to perform these operations, several backend resources need to have certain permissions. Includes NTFS directories in which a spending form is retrieved, the SQL database for storing the submitted spending report and a Web spending Microsoft Exchange account for sending email notifications. The web spending service account is not as simulated and executed as the client, but must be granted sufficient permissions to access the operation in the rear end object to perform the operations required by the application. Therefore, the backend DACL is only authorized to access the Web spending service account. (To learn more, see "Trusted Subsystem Application Model" in front of this article.)

When a manager sees the above-mentioned pending expenses, AccessCheck will test whether he has the ability to use approved control. Then the manager browses the detail of the expenditure and click "Approve" or "Reject". The following operations call AccessCheck: DequeApproval, AppRoveDenyexsese, and SendRequestNotification. In addition, the Amount, Approvingmgr, and Submitter parameters give the following values ​​accordingly: The number of expenses submitted, attempts to approve or reject the current user of these expenses and submit the name of the submit. During AccessCheck, BizRule will call the user as a manager submitted by the user, the method is to verify the privileges of Exchange or SQL for the currently executive manager, and verify that the number is within the currently specified limit.

Back to top

Scenario: Use the authorization manager with a custom principal

Using a custom host or a non-Windows body (eg, SQL, Passport, Microsoft Commerce Server or ADAM main body) can take advantage of the runtime feature of most authorization managers.

Whether in Active Directory, or in XML, the Authorization Manager stores the SID, which uses a member of the group or role, except for the LDAP query group (no static member). When adding a SID to a role or in an application group, it does not verify that it is a SID corresponding to the Active Directory or Windows NT account. You can add a completely meaningless SID as a role or a member of a group. When IAZCLIENTCONText :: AccessCheck is called, the SID in the client context is compared to the SID in the authorization manager role and group, which does not verify that the SID is an Active Directory account. If a client has a custom SID, and one role is also assigned to one of the same custom SID, whether directly assigned or by applying the same custom SID, AccessCheck The function will check if this SID is a member of the role or group with the requested operation, and grants the permissions associated with the role to allocate the SID client. You can use this behavior in the Authorization Manager to add a custom principal type to a role or application base group, and the specific method is to create a custom SID for each custom body and assign the SID to the appropriate role. Or application base group. The SID in the text has such a structure: S-VERSION-AuthorityID-X-Y-Z, where Version is the SID version number, AuthorityID is the security authorization ID of the SID, while X, Y, and Z are sub-authorization values. (All current SIDs are all versions 1.) The SID length can be variable because the sub-authorization number in the SID varies. The SID can have up to SID_MAX_SUB_AUTHHORITIES Authorization. (Defined in Winnt.h.) Custom SID Use 1 as the version number, use security_resource_manager_authority as an AuthorityID value, use the custom value as the sub-authorization number.

When you create a custom SID, you must create a SID design for your application. For example, you must have S-1-9-AppInstanceGuid-userguid, 9 is the resource management sub-authorization number, and AppInstanceGUID and UserGuid are each divided into four sub-authorization numbers. You can also use S-1-9-AppInstanceGuid-userrid, where userrid is the only identifier in the application instance. To get a sample code that generates the GUID, see the Microsoft Windows Software Development Kit (SDK).

Once you have created a custom SID, you can use the AddMember method of the IAZROLE or IAZAPLICATIONGROUP interface to add the SID to the Authorized Manager role or group.

To initialize a client context with a custom SID, you can call IAZApplication :: InitializeClientContextFromSid and specify a custom SID as a string. This creates a valid client context, which is suitable for performing access to the custom subject. In practical applications, a custom main body is verified, the application will map the subject to a custom SID (it is the main body created), and calls InitializeClientContextFromSID to get an authorization manager. Client context. When you call AccessCheck in the client, this SID is evaluated for the members of the authorization manager role and group. Customize the defect

There are some defects that use custom mains.

• You cannot use the LDAP query group. Since the user is not in Active Directory, there is no meaning of the LDAP query group. • You cannot use an Active Directory group or a local machine group. • You cannot use the Authorization Manager MMC user interface. Since the user interface is verified when the user is displayed, the user SID is detected, the administrator can only see the SID of the text string in the user interface, and cannot see the user name. More importantly, the user interface can only get the SID, enter roles and application groups in Object Picker, this way only allows you to extract a valid account or group.

Use custom main body

The following figure illustrates the process of authorizing the custom principal.

Figure 8: Authorized custom subject. View full size picture.

1. Verify the custom main user and map the custom body to an authorization manager to customize the SID. 2. Use the InitializationClientContextFromsid and pass the AZ_CLIENT_CONTEXT_SKIP_GROUP tag to the LOPTIONS parameter, and you can create a client with a custom SID.

Once this is done, you can use AccessCheck to verify if the custom main body is authorized to perform the specified action within the specified scope.