"Non Windows users" in AzMan (Authorization Manager)


image


AzMan background


AzMan (Authorization Manager) is the best Microsoft technology to implement role & permissions based security for your applications.


It exists as part of Windows Server (and Windows "workstation"), since versions Windows Server 2003 and Windows XP. If you want to take a look of its management tool, just run it: "Start azman.msc" (from cmd or search).


In Windows Server 2003 old days, your app users had to be Windows users, which in fact, is the most common way. Even today, with current AzMan version, you normally will use Windows users for your apps. But, sometimes, you need non-Windows users for external apps, or for any reason you want. So, in the first AzMan version, you “could use” custom users, but in a very limited way, based on your custom app-users DB tables or any repository, but then you could not use the AzMan administration MMC snap-in to manage those users within roles, etc., you had to use just the APIs for AzMan administration, then...


In Windows Server 2008 and Windows Vista AzMan version, SQL Server support for Stores and AD LDS, was added (formerly we could store our metadata just on Active Directory, ADAM, or XML files).


For instance, this is the definition string when using SQL Server as your AzMan store:


mssql://Driver={SQL Server};Server={CESARDLSQLSERVER};/AzManDb/AzStore


Here you can see AzMan console, where you can administer your App’s permissions (operations), roles and assignments:


image


Ok, so far, I’ve told you just a bit of AzMan’s background, but nothing about "Non Windows Users" in AzMan, so there we go!


"Non Windows Users" in AzMan


Since Windows Server 2008 and Windows Vista, and now also in Windows Server 2008 R2 and Windows 7, we have AzMan MMC Snap-in support for our custom app users (DB tables, AD LDS, any LDAP directory, etc.), using a "Custom Object Picker"!!. 🙂


You can check it out here, it was updated in MSDN on March 9, 2009:


http://technet.microsoft.com/en-us/library/cc770724(WS.10).aspx


Also, within AzMan help, you can read the following:


"


With Authorization Manager, you can include users or groups from any source that can be defined or referenced by the Authorization Manager application programming interface (API). In order to include users and groups from external sources, you must write or acquire a custom object picker. A custom object picker is a software component that can be installed on your system to allow an Authorization Manager administrator to access data stored in an external application.


For more information, see Authorization Manager Model (http://go.microsoft.com/fwlink/?linkid=64027).


The permissions required to perform this task will vary for each custom object picker.







Choose users or groups with a custom object picker



  1. Install the custom object picker according to the instructions provided with the non-Microsoft software.



  2. The custom object picker will be added to the Assign users and groups from menu choices under the Role Assignments node and to the drop-down list in the Members and Exclusions tab of the properties sheet for basic application groups. Choose the entry installed by the custom object picker installation process.



  3. Select users from the external source, according to the instructions provided with the custom object picker.


 

"

So, logically, it is not a ver straight forward capability, as you could have any DB schema (or any kind of repository) for your users, therefore, you must develop your "Custom Object Picker" in order to be able to select/assing your users.


I beleive there is a sample "Custom Object Picker" within Windows SDK. At the moment, the newest SDK is the Windows SDK for Windows 7 and .NET Framework 3.5 SP1 - RC (Published on 5/4/2009):


ISO: http://www.microsoft.com/downloads/details.aspx?FamilyID=6db1f17f-5f1e-4e54-a331-c32285cdde0c


Web setup: http://www.microsoft.com/downloads/details.aspx?FamilyID=f75f2ca8-c1e4-4801-9281-2f5f28f12dbd


I still have to research more on this capability ("Custom Object Picker"), I'll try to extend this post when I'll do it. 🙂


RESOURCES (Some useful links about AzMan):


http://blogs.msdn.com/donovanf/archive/2007/03/08/windows-authorization-manager-azman-the-best-kept-secret.aspx


http://blogs.msdn.com/donovanf/archive/2007/04/05/azman-in-windows-vista-you-bet-and-longhorn-too.aspx


http://sourceforge.net/projects/netsqlazman/


http://forums.asp.net/t/1124227.aspx (Last post, from David Crawford, is quite interesting)

Comments (7)

  1. Cesar says:

    AzMan is already available in Windows 7. Run mmc.exe and add its snap-in to the mmc console.

  2. GV says:

    Where do i find Azman for Windows 7?

  3. Aaron says:

    Any word on where the sample is?  I can't locate it in the SDK.

  4. joelangley says:

    Hi Cesar!

    Very nice article, but I wanted to correct you on one mistake that you had where you said "Windows Server 2003 old days, your app users had to be Windows users, which in fact, is the most common way".

    Having worked with AzMan since the first release and rolling out many applications (and open sourcing the bulk importer/exporter) I have seen just about everything with AzMan including a custom SID approach.

    Although you are correct that most instances we would deal with windows users and groups, the AzMan API allows you to deal with anything you like (even RSA) as it can be based off of a SID. It is not possible to add (you mention object picker as well) in AzMan MMC, but can be done via code where you can add a custom SID format.

    So for example, let’s say you have a custom SID for a user and that is in a database. You can login to your app and then make a call to a db to return that SID. You can then take that SID and open the AzMan store and pass it in like:

    IAzClientContext context = app.InitializeClientContextFromStringSid(sid, 1, null);

    The second param of 1 is a constant of AZ_CLIENT_CONTEXT_SKIP_GROUP where we tell AzMan not to talk to windows user store. You can then work from there to do access checks.

  5. perninha says:

    Cesar,

       First i wanna thank you for your time and this wonderful product. I developed A Service to exposes AzMan in a easy way. This is in Codeplex http://www.codeplex.com/authorizationservices as open source. Here in my company we are using AzMan with this service for all our new System and products and migrating the old ones. (More then 100 webapps). But i had a doubt,  we have 2 types of users here, one using AD. This is OK for us now. But the second type of user are external users, and we are using SQL Server (MemberShipProvider) to stores them. But we want to uses AzMan too. What we can do? I’m searching for the the Custom Object Picker examples in the Windows SDK and not found. This is very important, and we need to put this working in 1 week for the new projects and portal.

  6. perninha says:

    Hey Cesar!

    Do you found this example of a Custom Object Picker? I’m trying to create one to access my users from a MemberShipProvider.

    Regards,

           Alan

Skip to main content