Developing Applications Using Windows Authorization Manager White Paper Released!!!


Check it out!


http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetserv/html/AzManApps.asp


 

Comments (5)

  1. Kris says:

    I am trying to find this information but couldn’t find it anywhere – How can I check if the user has access to a particular Task? I can check each Operation of the Task individually, but not a Task. Is there something like Task ID?

    Thanks.

  2. As a note, this is a store operation.  You should favor the accesscheck for runtime.  

    There is a gotdotnet sample that does this at runtime (EDA – Enterprise Development Architecture I think is the name offhand) but once again I recommend modeling where task isnt the object you are checking.  

    Regards,

    David

  3. Mike says:

    I’m not sure this is the place to post this.. but what the heck….

    Scopes:

    I believe what I would like to do with scopes is not really what was intended with them, but I would like to hear any comment on this.  Currently with AzMan, it is assumed that a scope is known when an access check is done.  Either the application is aware of a specific resource being requested (either by looking at another data source (i.e. Cost Center stored in a user’s AD account) or a user has specifically requested a resource (i.e. from a drop down or search).  

    What if the scope isn’t know?  

    As an example: A shipping company ships products for thousands of customers.  The shipping company has an application where customer service employees can look at shipping records.  As a "ReadOnlyRole" user, this application should only display customer records to which the employee is assigned.  In this scenario, each company could be considered a resource and represented in AzMan as a scope.  If the employee was able to first select a company he/she wanted to view records for, the scope would be known when an access check query was run and AzMan would perform brilliantly.  However, this relies on either the employee knowing which companies he/she has privileges to (could be thousands to choose from) or relies on another system to determine this.  Either way, your authorization management is now split between different processes or systems (a head-ache in large organizations).  If AzMan provided the capability of “GetScopesAndRolesForUser” as it does for “GetRolesForUser” then the authorization for this problem could be done with one central system.  Getting a list of scopes/companies would allow the application to filter its data queries.  Given AzMan today, I believe that being able to do this may incur a high computational expense, but it is something that I would like to see available in the future.

    Cheers,

    Mike

  4. I must have missed this post.  The call that you were looking for is in Win2k3 SP1 update.

    IAzClientContext2::GetAssignedScopesPage[C++] | IAzClientContext2.GetAssignedScopesPage

    http://msdn2.microsoft.com/en-us/library/aa377854.aspx

    There are a number of ways to organize this dimension such as the newsgroup scenario where the scope is actually part of the data.  

    newsgroup1

    newsgroup2

    newsgroup3

    become scopes with roles of admin, contributer and reader. The query to the database would use something like select articletitle,articletext,articleid where scopenamethatisgroupname=thescopename

    From the ui if making all visible you could either query distinctly from db or return the call to the store for the scopes that match a newsgroup. I am talking about whether you show all but give access to a few or only show those items which have assignment.

    Another way to look at it would be that there are known divisions – div1-n and have a similar query to the database.

    As for the computation expense, that varies based on your implementation.  

    Our implementation allows for a call to get rolls for each scope which allows you to control the implementation.  I think that addresses what you were recommending.

    Regards,

    David

  5. John R. says:

    I don’t understand the point of having both Role Definitions and Role Assignments.  

    Why isn’t there just the concept of ‘Role’ which contains both the definition of what tasks/ops it gives access to AND the assignments of who belongs to that role?