How come when I create a Role Definition in the UI it doesn't show up when I enum Roles?

  • Article

Cbekarthik's question is so common that it deserves its own post.

One quirk of the AzMan dev experience is the fact that the UI exposes a role definition object and the API does not. As a result it's a common surprise for developers who create a role definition in the UI and then see that the code they wrote code to enumerate roles doesn't return any role definitions. The opposite surprise comes when you programmatically create a role (the AzRole object) and then look in the role definitions container in the UI and don't see that role.

The reason behind this is that beta versions of the AzMan interfaces (in the WS03 beta timeframe) had a smaller RBAC model that didn't have the concept of role definitions and role assignments. Roles were defined and assigned in one object called a role. Some late user experience testing made it clear that a role definition was a useful concept to enable the collection of permissions for a role to be reused in different scopes. A good example of when this is useful is a situation such as folders where the role definition of an editor or reader would be useful in all folders even though the assignees would be different in each folder. Based on this feedback the role definition object was added in the UI.

However, since this was very late in the beta process the change in the API had to be minimal (to minimize impact on beta customers, test matrices, and documentation.) So the implementation of the role definition took advantage of the fact that the properties of the desired role definition were essentially the same as those of a task; a collection of tasks and operations. In fact the role definition is just a special task implemented as an IAzTask object with a property called IsRoleDefinition that identifies it as a role definition. So when you create a role definition in the AzMan MMC UI, in the store your creating an IAzTask object with the IsRoleDefinition property set to true. When you create a role assignment in the UI you're creating an IAzRole object.

Since this has been a common hurdle for many who are new to AzMan development, in Vista and LH Server role definition specific interfaces are added so the developer experience will more closely match the user experience; a role definition in the UI will be correspond to a role definition in the API.

You can check out these new interfaces as of Vista beta 1.

-Dave McPherson