Authorization Manager and Role-Based Administration in Windows Server 2003 (Part 2)
Defining Roles, Tasks and Operations
In the context of Authorization Manager, a role is defined by the permissions that are user requires to perform the tasks related to his/her job. You will generally have a number of people within an organization that perform the same tasks and thus need the same permissions (for example, receptionists). Tasks are specific operations or groups of operations performed on the computer or network (for example, change password). Roles, tasks and operations are defined in Authorization Manager's developer mode.
NOTE: To put the Authorization Manager MMC into developer mode, first open the tool by typing azman.msc in the Run box. Then right click Authorization Manager in the left pane of the console, click Options, and select Developer mode in the dialog box. By default, Authorization Manager opens in Administrator mode.
To define a role, task or operation, in the left console pane of the MMC, Expand the Authorization Store, then expand the application for which you want to make definitions. Finally, expand the Definitions folder, and you will see three folders for each of the following:
- Role Definitions
- Task Definitions
- Operation Definitions
Right click the one for which you want to define a new definition and select the applicable New Definition option in the context menu. For example, as shown in Figure A, select New Role Definition to create a new role definition.
The Role Definition dialog box will appear, and you will need to define a name for the role, a description (if desired) and lower level tasks, roles and operations that define the role.
Obviously, you will need to have defined tasks and operations before you can include them in a role, and you must define operations before you can include them in a task. So, despite the fact that they appear in the opposite order in the console, you must make your definitions in the following order:
- Define operations
- Define tasks
- Define roles
The Role Definition dialog box is shown in Figure B.
You can edit definitions by right clicking the definition name in the right console pane of the MMC and selecting Properties.
Creating Role Assignments
After you have defined roles, you can then create role assignments. This is a way of associating application groups (which we discussed in Part One of the article) or Windows users or groups with roles that you have defined.
To create role assignments, you must first add the role definitions you created previously. Right click Role Assignments in the left pane of the MMC, and select Assign Roles. In the Add Role dialog box, shown in Figure C, check the checkboxes for the roles you want to add.
Click OK when you finish checking the boxes, and the role names will now appear under the Role Assignments folder in the left pane. To assign an application group or a Windows user or group to this role, right click the role name and select the appropriate Assign choice from the right context menu, as shown in Figure D.
After you add the desired groups in the Add Groups dialog box, the members in that group will be associated with the role you have defined, and will be authorized to perform the tasks that are part of that role.
Scopes are an optional component of Authorization Manager; they are created within applications to provide a way to prevent unwanted sharing of the different resources that are used by that application, and to support auditing and delegation.
To create a scope within an application, right click the application name in the left console pane and select New Scope. You'll be asked to type a name and description. The name must be something that can be recognized and processed by the application. For example, if the application is file based, the scope name is based on the file path.
To automate the process of determining whether particular roles or tasks are allowed, you can use scripts within role and task definitions. These scripts can be written in VBScript or JScript, and are called authorization rules. This gives you tremendous control to define the conditions that must be met for authorization to occur. You can limit authorization to a specific time of day, for example, or base it on whether an expense limit has been met or the amount in a specified account balance.
You can add an Authorization script to a role or task definition during the creation process, or you can add one to an existing rule or definition by right clicking it, selecting Properties and selecting the Definition tab and the Authorization Script button. You'll need to enter the script's source code and path, and designate the script type (VBScript or Jscript).
There can be more than one rule associated with a role. If so, scripts will be run synchronously (each must finish running before the next starts).
NOTE: Authorization Manager is not used to write scripts. You can compose the scripts in a text editor such as NotePad or in another application. Developing scripts is a more of a programming function than an administrative one, so you'll need programming skills and an understanding of authorization-related APIs.
This two-part article has provided a basic overview of how to use the Authorization Manager tool to implement role-based security on your Windows Server 2003 network. Role-based security. Role-based security allows you to provide users with the ability to perform the tasks that are associated with their roles (jobs) within the organization. Authorization Manager gives you a way to define tasks and roles very granularly, and assign users based on their Windows user or group accounts or their membership in your defined application groups.
For more detailed information about using Authorization Manager, see the Microsoft Server 2003 web site at: