Who is AzMan


Welcome to the Authorization Manager Team Blog. If you’re not familiar with Authorization Manager (AzMan) it is the Role-Based Access Control model provided originally in Windows Server 2003. It’s since been made available on XP via the XP Admin pack for Server 03 (this is for administration or dev on XP – see ms download center and search on Administration Pack) and on Windows 2000 via a web download (see ms download center and search on AzMan).


 


Authorization Manager’s there to help application developers and admins in the following ways (for those of you who haven’t’ seen thisJ):


 


Common RBAC Administration


An easy to use common role-based administrative experience; administrators learn fewer authorization models and require less training.


 


Role-based Development Framework


Easy to integrate with native or managed apps, provides broad RBAC management and enforcement functionality.


 


Flexible Authorization Rules


Ability to define membership through dynamic ldap queries or custom BizRules.


 


Centralized Administration


Multiple applications can be managed centrally and leverage common application groups.


 


Flexible Storage Options


Ability to store policy in Active Directory, XML-Files or SQL Server (Vista Beta 2.)


 


Platform Integration and Alignment


Support for platform features such as Active Directory groups, Windows security auditing, and MMC. Assurance of proper integration of system access control objects such as the NT access token and better alignment for future Windows access control features such as provisioning and entitlement engines.


 


Reduced Software Development and Maintenance Costs


Developers avoid the expense or trade-offs of custom access control. AzMan does the expensive work of a full-featured authorization solution; including: a complete RBAC model, policy storage (AD, SQL, or XML), an MMC user interface, built-in application group support, rule and query support, integrated system auditing, and performance optimizations such as caching and late-binding.


                                             


Enhanced Security


Platform technologies are rigorously tested, broadly used and continually refined. A common RBAC model leverages administrators existing knowledge resulting in fewer access control mistakes.


 


AzMan has seen good uptake, particularly in LOB apps.


 


For some case studies check out:


Israel Court House:


https://members.microsoft.com/customerevidence/search/EvidenceDetails.aspx?EvidenceID=13419&LanguageID=1&PFT=Microsoft%20Windows%20Server%202003&TaxID=20106


 


and Lighthouse International:


http://download.microsoft.com/documents/customerevidence/20836_AzMan_Case_Study_Lighthouse_Final.doc


 


 


The plan is to use this blog to get the FAQ info out and give AzMan news as soon as it’s available. Fire away if you got questions. Though checkout the current set of AzMan docs, here’s some dev oriented stuff:


Authorization Manager Whitepaper


Platform SDK Documentation


MSDN: AzMan Overview


MSDN: AzMan BizRules


MSDN: AzMan Dynamic Groups


DEV: Programmable Architecture Guide (PAG): Authorization and Profile Application Block


DEV: Keith Brown MSDN Article (Sample included): Use Role-Based Security in Your Middle Tier .NET Apps with Authorization Manager


Server Watch Tutorial: Exploring Windows 2003 Security: Authorization Manager


 


-Dave McPherson


Comments (40)

  1. Catho says:

    Good article, and I hope this is the first of a long sequence…

    I use Azman (for our Enterprise Framework) since 2 years and I ‘m very glad to see that there is a develop on this tool.

    A little question…

    I didn’t understand the reason why there is no plan to write Azman in native .net managed code. I think that a porting on managed code would enhance the diffusion.

  2. davemm says:

    Hi Catho,

    Thanks for the feedback. We are working on plans to provide a genuine managed OM for AzMan. Unfortunately, the timeframe is however post LH server. We are providing some new interfaces (such as a new AcccessCheck) in Vista that helps make the interop more friendly.

    Thanks,

    Dave

  3. Catho says:

    Hi Dave,

    thanks for reply, I have another question, there is  plans to provide the new functionality (SQL Storage, new Interfaces for Access Check, improvements on Ldap Query Groups, and so on…) included in Vista on Windows 2003 server ?

  4. davemm says:

    To make sure everyone understands what’s available where. AzMan natively shipped on WS03 and was backported (runtime only) to Win2k and is available for dev and admin on XP via the admin pack.

    There are new features in Vista such as SQL storage and others listed above. Due to the high end-to-end cost of back porting to previous versions of Windows, there is no plan to at this time to backport the Vista features. However we are tracking customer requests on this.

    Thanks,

    Dave

  5. Hugo.Vallejo says:

    Hi. I’m having problems with an authorization store role provider that I’m using in my web site. The problem is the updating of the roles cookie. For exmaple, If a query the existing roles in the AzMan store I get the full list in the XML file (OK to the moment), but if I create a rol programatically or add a user to a role or whatever related to writing or modifiyng the file, I don`t get the changes at the moment, not even if I close the page and restart it again!. Actually, if I modifiy the AzMan store through the AzMan console and I run the web site proyect, I get the previous values before the changes. In fact, the only way I’ve found for the list of roles to be updated is by modifying the web.config file (for example, by inserting a white space anywhere in the file) and run the proyect again.

    This is the configuration I have:

    <roleManager enabled="true"

    cacheRolesInCookie="false"

    defaultProvider="RoleManagerAzManProvider"

    cookieName=".ASPXROLES"

    cookiePath="/"

    cookieTimeout="1"

    cookieRequireSSL="false"

    cookieSlidingExpiration="false"

    createPersistentCookie="false"

    cookieProtection="All">

    <providers >

    <add connectionStringName="LocalPolicyStore" applicationName="Logica" name="RoleManagerAzManProvider" type="System.Web.Security.AuthorizationStoreRoleProvider, System.Web, Version=2.0.0.0, &#xA; &#xA; Culture=neutral, publicKeyToken=b03f5f7f11d50a3a" />

    </providers>

    </roleManager>

    If you could help me I would appreiate it a lot. Thanks for your time

  6. There are actually a number of places that may cache ranging from OS – S4U that may come into play when using Forms Auth, IIS, AzMan API (that loads the whole store in memory when XML), and settings specified on the role provider.

    The "modifying the web.config file" unloads the appdomain which would kill the role provider cache.

    Links below provide further explanation but your current cache is for a minute on the cookie:

    http://msdn2.microsoft.com/en-us/library/system.web.security.roleprovider_members(VS.80).aspx

    http://msdn2.microsoft.com/en-us/library/6b241xwt.aspx

    http://msdn2.microsoft.com/en-us/library/ms164660.aspx

    Are you calling Roles.CreateRole("MyNewRole"); on the page in question?  What is your environment/topology? Are you seeing that caching lasts longer than expected? (You message implies never but how long did you give it to dump the cache?)

    Regards,

    David Crawford [MSFT]

  7. sudheerm says:

    About  Hugo.Vallejo’s questio,

    As David explained, AzMan loads the full store into the cache. Incase of RoleProvider, IIS will load the full store into the cache and IIS has to call UpdateCache to reload the store into cache. IIS does this depending on the "cacheRefreshInterval" that you can set in your web.config file. But the mininmum value that you can set is 1 (1 min) for this attribute. So there is noway to reflect your changes immediately other than, changing you config file or re-start your IIS etc which will invalidate your cache.

    Thanks,

    Sudheer.

  8. Hugo.Vallejo says:

    Thanks to David and Sudheer for your anwers. It’s just left me one question. How can the role provder work for navigation controls? This is the scencario: I have a menu control binding to a site map control with the securitytrimminenabled property set to true and a AzMan Role provider with a local policy store in an XML file, and I if add a user to a rol through the AzMan mangament console I don’t get that user authorized to the menu item previously disabled. As I said before, I need to modifiy the web.config file and reestart the web site (unloading the appdomain actually) for the menu control and authorization for the pages to be updated. So,  Is there any way that I can create roles or add user to roles through the console and have those changes when a enter the site? or I definitively have to reestart IIS? If so, I guess I can’t modify the XML file through the console in-line with the running web form.

    Thanks again!

  9. For navigation controls see the following –

    ASP.NET Site-Map Security Trimming  

    http://msdn2.microsoft.com/en-us/library/ms178428(VS.80).aspx

    Walkthrough: Filtering Site-Map Nodes Based on Security Roles  

    http://msdn2.microsoft.com/en-US/library/ms178428.aspx

    If you create a role with any approach and/or call AddUserToRole(userName, roleName) through the provider or assign the user to a role via the mmc, you will require time sufficient for the cache to refresh. You may consider changing your AzMan policy store to ADAM or AD which would not load the whole store into memory from the start but after you will still need to consider caching.  The other approach to gain fine grain and full control is to utilize the API directy.  See step 7 in How To: Use Authorization Manager (AzMan) with ASP.NET 2.0 – http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGHT000019.asp

    Regards,

    David Crawford [MSFT]

  10. cbekarthik says:

    Component: AzMan (Authorization Manager)

    Environment: Windows XP

    Programming Environment: Visual Studio 2005

    Language: C#

    Assembly: Microsoft.Interop.Security.AzRoles.dll

    We have implemented AzMan based security in our project. We have set of roles defined at the application level. From our application we are dynamically creating a new scope through code programmatically.

    We have a requirement to assign an existing role which is defined at the application level to the newly created scope through code. We are not able to find the method to assign an existing role to the scope.

    By using the front end (azman.msc) we are able to assign an existing role to a scope. We need to know how to achieve this programmatically.

    Has anybody tried this before ? Any suggestions or pointers ?

    We have already tried the following MSDN links

    (1) http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/authorization_functions.asp

    (2) http://msdn.microsoft.com/msdnmag/issues/03/11/AuthorizationManager/

  11. Hugo.Vallejo says:

    Hi cbekarthik.

    I have used the Authorization Manager API in a proyect I’ve already finished. You’re saying that you defined a rol at the app level so I guess you use de CreateTask method and assigned the IsRolDefinition property to 1. Note that at app level it is only needed the Definition for the rol, not the assignment, because if you try to assign the role again at the scope leve you’ll get a "copy", comething like Rol(1), so it is coorect to define the rol at the app level and assing it at the scope level.

    This  is what I do in my proyect (I’m colombian so don’t surprise for the spanish comments)

    try

               {

                   //Crear definción de rol en la aplicacion

                   IAzTask defincionRol = azApp.CreateTask(rol, null);

                   defincionRol.IsRoleDefinition = 1;

                   defincionRol.Description = descripcion;

                   defincionRol.Submit(0, null);

                   //Creacion de asignaciones para el rol en todos los alcances

                   foreach (IAzScope scope in azApp.Scopes)

                   {

                       IAzRole rolScope = scope.CreateRole(rol, null);

                       rolScope.Description = descripcion;

                       rolScope.Submit(0, null);

                   }

               }

    As you can see, in the first line of the try block, I use the CreateTask for the app object and the IsRolDefinition property and  then submit the changes. Then, for each scope in the app, I create the assignment for the rol, using the CreateRol method for the scope. The CreateTask method is always related to definitions and the CreateRole to assignments.

    If then you want to add a member to the app rol at the scope level you can try this:

      //Abre el rol dentro de la aplicación

       IAzRole rolReal = azApp.OpenRole(rol, null);

       rolReal.AddMember(BuscadorUsuarios.ObtenerSid(usuario), null);

       rolReal.Submit(0, null);

    try

                   {

                       IAzRole rolReal = scopeReal.OpenRole(rol, null);

                       rolReal.AddMember(BuscadorUsuarios.ObtenerSid(usuario), null);

                       rolReal.Submit(0, null);

                   }

    Although the rol is defined at the app level, the Assigment is at the scope level so you can use the OpenRole method and use the AddMember (In the code the class BuscadorUsuarios gets the SID for a given user name). Or you can use the AddMemberName and add the user by his o her user name.

    Remember the needed validations for doing this: If you try to open or create a rol that is already defined or assigned you’ll get an exception. Same happends with the users.

    I hope this was helpful for you.

    P.D sorry for my english

  12. cbekarthik says:

    Hi Hugo,

      Many thanks for your detailed response.

    But the roles at app level are not created using CreateTask method. We have created some of the operations and role definitions in app level using the UI azman.msc.

    So to begin with, We have set of roles defined at the application level and each role has some list of operations. (This is NOT DONE programmatically due to our project requirements)

    Our application creates new scopes through code programmatically. We have a requirement to ‘assign’ an existing role defined at the application level to the newly created scope through code.

    Inshort, we never create roles through code but we do create scopes and assign existing roles to the newly created scope.

    Your help is much appreciated.

  13. davemm says:

    Hi cbekarthik,

    When you created the role definitions via the UI the UI code actually created tasks with the special IsRoleDefinition property set to true as Hugo describes.

    So to assign one of those role-definitions (specially marked task) in a scope, you need to create a role assignment (IAzScope::CreateRole) in the scope and then create assign that role the role-definition (the specially marked task); for example if the role-definition is called submitter you’d create the role assignment and then add the task like so: SubmitterRole.AddTask("Submitter").

  14. cbekarthik says:

    Hi Dave,

      Thanks for your reply.  I was able to achieve the desired result with the help of your suggestion.

  15. Hugo.Vallejo says:

    Hi cbekarthik.

    It actually does’n matter how you define the roles at the app level. You have defined the roles and add some operations to them. At the scope, as in the code I wrote before, you must use the CreateRole method for the scope object and that’s it. In my project I also have some app roles created thorough by the UI and some others programmatically. I define scopes for the app and then assigned them to a scope using CreateRole for the scope.

  16. cbekarthik says:

    Hi Hugo,

       Thanks for your response. CreateRole, to create a role assignment is not an issue. It’s quite fine.

    But adding a role definition using AddTask() method is the real key.

    I was mislead by certain method names.

    For eg., There is a Role definition in the app level, say "MyRole".

    But if i try using app.openrole("MyRole", null), it throws an exception. You can open this using app.openTask("MyRole", null)

    I believe from Azman perspective, OpenRole and CreateRole are dealing with just role assignments and not role definitions.

    May be as Dave said, in Azman a role definition is a specially marked task but not a role (!!)

  17. sudheerm says:

    Yes, this is very confusing as AzMan UI and API’s does not use same names. To avoid this confusion, in the latest version of AzMan coming in Vista, we added new API’s to align with AzMan UI terms, like CreteRoleDefinition, CreateRoleAssignment etc.

  18. The authorization model is another new feature in the Commerce Server 2007&amp;nbsp;catalog system which…

  19. yem583 says:

    I’m using AZman for role provider for asp.net site (System.Web.Security.AuthorizationStoreRoleProvider).

    Code is working fine when deployed to win2k server, but when running on developer xp (sp2) desktop, we get the following error.    (Exception from HRESULT: 0x80020006 (DISP_E_UNKNOWNNAME)). when checking user.isinrole("rolename")

    Seems like AZman not properly installed on xp, however, we have reinstalled adminpak (sp1) and have no trouble accessing AD based authorization store from same xp box.

    Any help would be appreciated.

    Thanks,

  20. davemm says:

    There are some known differences between some underlying API on Win2K, XP and WS03. One area which has undergone much flux in each of these release is name lookup API. Depending on your environment, things like which versons of the DCs you are using and whether or not the domain is in native mode and WS03 functional level the lookup API have different paths (these are the primary reason for limiting the support of AzMan on XP to administration and development and not deployment.) My recommendation would be to do a test w/ accounts on a WS03 DC and you can hopefully avoid this, you should not have this problem in deployment on WS03 machines (if this is the cause of the problem.)

    If you are using IAzApplication::InitializeClientContextFromSid you may be able to switch to IAzApplication::InitializeClientContextFromToken which is faster and avoids lookup issues which can be very unique to each environment. Check out the latest whitepaper’s comments on this. The whitepaper can be found at:

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetserv/html/AzManApps.asp

  21. Chilá says:

    Hi Dave, I got some questions about AzMan and I didn’t find any forum where I can post my questions!

    Can you give some direction? My problem is that we’re developing an application with AzMan we got some questions about AzMan on Vista, Authorization Script etc.

    Se ya and thank you!

    Chilá!

  22. davemm says:

    Hi Chilá,

    What’s your question? There are a few articles on BizRules/Authorization scripts out there. In Vista they don’t change much except that you can create a group with a BizRule script and the mechanism for passing the parameters to BizRule scripts can be done a cleaner if you wish.

    Thanks,

    Dave

  23. The authorization model is another new feature in the Commerce Server 2007 catalog system which allows

  24. rosjon says:

    I am having problems when creating roles and scopes programatically, I  found the post explaining that a role defintion is a task and have now succeded in creating  new scopes with roles that follow the role definitions. The only problem I am experiencing is that operations I created long ago using Authorization manager UI, before I built my own UI has to be redefined in Authorization Manager UI to work properly. Otherwise the Checkaccess returns 0 even though the operation is not assigned to the role. Is anyone else having the same problem? As soon as I remove the "old" operation and create a new one with the same name and operation number the checkaccess returns the correct result. Its not a show stopper but it feels a bit unstable and I am starting to worry about what will happen when I have deployed to the production server…..Anyone have any thoughts and ideas please share them….

  25. davemm says:

    Hi Rosjon,

    I think I get the problem but this statement confuses me, "Otherwise the Checkaccess returns 0 even though the operation is not assigned to the role." By, "Checkaccess returns 0" do you mean that the results array from check access contains no operations (which would be expected if there are none assigned to the role) or do you mean that your getting null or zero for the result array?

    FWIW, I haven’t seen this problem before. I can imagine a scenario where the a custom UI is not calling the submit method after creating the operation so they never actually get created and are not visible in the app or AzMan UI but if you’ve reboot your custom UI you’d see that they’re gone. Alternatively something may appear like this if you inadvertently have two stores and one UI is editing one and one is editing the other.

    HTH,

    Dave

  26. Dirk_BGC says:

    Hi

    I am using Authorisation manager for a while (in .NET).

    Now I wanted to to test my applic on Vista and some functions no longer work.

    I still can enumerate operations, but the performing the CheckAccess returns errors I never had in XP.

    e.g.

    theContext = AppInStore.InitializeClientContextFromName(_UserName)

     Dim ObjOperations(1) As Object

     ObjOperations(0) = CType(OperationID, Object)

    Dim objResult() As Object

    objResult = CType(theContext.AccessCheck(OperationName, ObjScopes, ObjOperations), Object())

    I get some errors like :

    System.ArgumentException: Value does not fall within the expected range.

    at AZROLESLib.IAzClientContext.AccessCheck(String bstrObjectName, Object varScopeNames, Object varOperations, Object varParameterNames, Object varParameterValues, Object varInterfaceNames, Object varInterfaceFlags, Object varInterfaces)

    Do I need a new AZroles.DLL and the Interop.AZROLESLib.dll ?

    If so, where can I find this ?

    Any other ideas?

    Thanks

    Dirk

  27. davemm says:

    Hi Dirk,

    No new AzMan AccessCheck error code scenarios should exist on Vista for running code that didn’t have it on WS03. My first thought is to make sure the store is ported or recreated accurately. Another long shot may be that variable initialization or some other memory bug could be happening differently corrupting something; this may make AccessCheck through an error where it previously didn’t. Again, that’s a long shot. You could check the values going into AccessCheck to make sure that at least the params going in the same way.

    FYI, Check out the IAzClientContext3::AccessCheck2 method on Vista.

    HTH,

    Dave

  28. Dirk_BGC says:

    Thank you for the reply.

    I have it working now (on both XP/Vista), using all params

    objResult = CType(ContextuserX.AccessCheck(OperationName, ObjScopes, ObjOperations, Nothing, Nothing, Nothing), Object())

    ==> it seems the optional params need to be filled in for the Vista.

    Thanks for pointing to the new methods in Vista!

    1 remark: I lost a lot of time searching for the Azman tools update on internet for the Vista PC, until I noticed that the new DLL’s are installed by default on the Vista PC’s. I think others will have similar problems.

  29. milecker says:

    Applications Users – Not supported

    I love much of the functionality of the azman tool. While I think the windows/LDAP support is a must, I am very confused why azman does not support "custom" or "application" users. Ie NON WINDOWS accounts. It drives me crazy that authorization is suppose to be loosely coupled from authentication and that Azman forces the association of a windows account. When I build applications they usually need to support both a windows mode (Intranet) and an application user or SSO situation and in the later two the azman tool does not work.

    Thoughts?

    I noticed there is a new SQL Azman tool that is open source that supports this concept! This tool has many advantages over Azman but has a major failing in all access checks are done at the database tier.

  30. davemm says:

    Hi milecker,

    Check out the Using Authorization Manager with Custom Principals section in the whitepaper (http://msdn2.microsoft.com/en-us/library/aa480244.aspx) for the story on custom principals. It’s possible in WS03 and get’s somewhat better in Vista.

  31. wynxo says:

    I’ve a problem when I try programatically to delete and create an application with same name in store.

    The application "ABC" already exists in Store LDAP and I want to delete these application and create a new application with the same name "ABC".

    To do this:

    I open the Store like this:

    destStore.Initialize(4, destUrl, null);

    destStore.Submit(0, null);

    Then, I delete the "ABC" application from store:

    destStore.DeleteApplication("ABC", null);

    destStore.Submit(0, null);

    after this, if I check in Store the "ABC" application is correctly deleted (destStore.Applications.count = 0)

    Finally, I try to create a new application with the same name "ABC":

    IAzApplication destApplication = null;

    destApplication = destStore.CreateApplication("ABC", null);

    And the this code raise an exception on CreateApplication:

    "Cannot create a file when that file already exists. (Exception from HRESULT: 0x800700B7)"

    I don’t understand my error because I do a submit after DeleteApplication.

    Thx

  32. Hugo.Vallejo says:

    Hi everyone.

    Last year I created an application (.NET 2.0) that uses AzManager (azroles.dll) to perform access checks. I’m wondering how this application would work on Windows Vista. Am I able to deploy this application and expect that it works fine? I don’t have Vista installed yet but I co-worker told me that some test using AzManager in Vista always denied a user access to a operation. Is there any consideration we have to take into account before deploy the application?

    Thanks a lot

  33. Would you provide more details – what kind of app, store schema version 1.0 or 2.0, what is the topology (local user/domain user/trusted/shadow), where and what is the store, how are you initializing your client context/What AuthN, what other characteristics can you provide?  

    Without knowing anything about your application, I would recommend that you test your application for any target OS before releasing it.  AzMan specific, make sure that if you are using BizRules that you enable them in Vista.  There are implications with the UAC that you should pay attention to with your applications targeting Vista.

    Regards,

    David

  34. Hugo.Vallejo says:

    Hi David, thanks for you answer and sorry for the delay.

    Well i jave to say that after installed Vista and tested the .NET aplication everything works fine. However, we have an old Visual Basic 6 application that some small clients still use and it references azrolles.dll. This particular appliocation failed when calling accesscheck method but this won’t be problem becuase the application was marked as obsolte and it is in updating process rigth now.

    Thanks for you comment.

    Hugo

  35. rosjon says:

    Regarding the 0x80020006 (DISP_E_UNKNOWNNAME) problem. It has to do with a versioning problem in azroles.dll. If you use version 1.001 (203kb) it doesnt work. I have tried version 5.2.3790.1830 and it works. Try an reinstall using the following instruction: http://msdn2.microsoft.com/en-us/library/ms998336.aspx

    Good luck

  36. Hugo.Vallejo says:

    Hi everyone.

    I’m having problems checking access using azman from windows XP client stations looking to a authorization store saved on a public folder on a windows 2000 server, all stations are part of a domain. However, after working fine for a while some access checks always return access denied to any operation in the authorization store. This is kind of weird because if any client station is removed from the domain ans then added again the access checks work fine again, although not in all the cases. The problem with this arcuitecture is that client station do the actual access check invoking azroles.ll and looking for the public file of the authorization store so we have to ensure that all the stations are using the same version of the azroles library which is 5.2.3790.1830.

    Another thing is that access checks fail for users already in the domain but if we create another user account and check for the permissions it works fine. Does anyone know something about this behavior?

    Thanks a lot

  37. Prabhu_engg98 says:

    Hi Dave,

    We are using Azman in our web application for profile management. The scenario is like this… First we will define 3 predefined set of scopes say for example superadmin,admin and normaluser through azman.msc console. Initially we are storing in an xml store.

    From the Webform we need to retrieve the three profiles by using our custom developed azman wrapper class and display all the related tasks and operations for a selected profile(scope). Here the user can able to add new profile based on already existing profile, view, modify and delete the profile.

    At the time of adding, modifying and deleting a profile we will add, modify or delete a profile in our profile table in sqlserver. Apart from the profile(i.e scope) we are not storing any other details.

    From user management module in our application we will query the AD to get a list of users and the list of profiles from profile table(Profile table contains the scope name stored in our xml azman store). Here we will associate a user with a profile.These info will be stored in user table.

    Whenever the user logs in to our system first we will authenticate based on his username  and password. During Authorization we will check whether he is authorized to access the page based on the scope associated with the user.

    My problem is i am not able to get the list of tasks and operations associated with a scope using azman api.

    Put it into another way the client needs a webbased azman console.

    Your help is very much appreciated.

    Thanks ,

    Regards

    Prabhu

  38. Prabhu_engg98 says:

    Hi,

    I am having some more doubts.

    I had created the following operations opAdd,opDelete,opModify.

    Created two tasks namely LocationType and LocationChannel.

    [ Associated opAdd and opDelete to LocationType task. ]

    [ Associated all the three operations to LocationChannel task]

    Created a role definition named "SuperAdmin".

    <b>Added the above two tasks to this role.</b>

    Create a scope named "SA"

    Assigned the "SuperAdmin" role created at the application level to this scope.

    Questions:

    1. How can i retrieve the list of task names associated with the above role using azman api in c#?
    2. How can i retrieve the list of task names associated with the above scope using azman api in c#?

    Thanks,

    Regards

    Prabhu

  39. chripk says:

    Hi,

      I have a question. How to assign task to a role? I’m using this code

    IAzRole AzRole = AzManApp.OpenRole(strRole, null);

    AzRole.AddTask(strTaskName, null);

    AzRole.Submit(0, null);

    but I cannot find the assigned task in role property in role definition folder

    instead it can be found in role property on role assignment folder.

    My question is there a way i could use to add task in role that can be display

    in role property in role definition folder?

    anyone could help?

  40. woodyb42 says:

    I am using AzMan as the role security for a Web Service.  We have been having issues with our web service randomly crashing out.  After a great deal of debugging I finnally tracked it down to the AzAuthorizationStoreClass.Initialize call in my program as it caused a Stack Overflow error.

    What our code does is create a AzMan manager class for each user, this class contains a AzAuthorizationStoreClass for the current Store, IAzApplication for the current application, and IAzClientContext the clients context to the Application.  It appears that we do not have any issues when we are running under one thread.  But our testplans utilize multiple threads to simulate multiple users.  After adding some unrelated code (which was heavily debugged) we have noticed significant amount of failures on our threading tests.

    Is the AzAuthorizationStoreClass.Initialize call thread safe?  Or is there any way that a stack overflow can be generated from it that you know of?

    Here is the code we use for initializing the store:

           private void InitializeC2SAzManManager(Guid storeID, string connection, DataSet applicationList, WindowsIdentity winUser)

           {

               try

               {

                   // Set the StoreID

                   m_StoreID = storeID;

                   // Set the user

                   WinUser = winUser;

                   try

                   {

                       // Open Store

                       m_AzStore.Initialize(0, connection, null);

                   }

                   catch (Exception exception)

                   {

                       throw new Exception(String.Format("Failed to open AzStore for {0}.",

                           WinIdentity.Name), exception);

                   }