Simplifying Authorization Management of Commerce Server Web Services

To make the job of your infrastructure easier you may want to follow my next piece of advice. When un-packaging a Commerce PUP you get four Web Services to manage your commerce engine. Each Web Service has a different Authorization XML store. Let’s find out what Authorization Manager is.

Authorization Manager

Authorization Manager (commonly known as AzMan) is a new general-purpose, role-based security architecture for Windows. AzMan is not tied to COM+, so it can be used in any application that needs role-based authorization. Using Authorization Manager, you can define roles and the tasks those roles can perform. You can nest roles to inherit characteristics from other roles, and you can define application groups. In addition, Authorization Manager lets you use scripts to modify permissions dynamically, and it allows you to wrap your security logic in a security policy that can be stored in Active Directory or an XML file. Authorization Manager also includes an easy-to-use API for running access checks. Commerce Server only supports the security policy to be stored in an XML file.

Simplify AzMan

Managing four different AzMan XML files can be difficult to manage. In order to simplify this, we need to merge all files into one AzMan XML Store.

The following is an example of the AzMan XML Store of the Catalog Web Service.


Note that the AzApplication node holds all the information required by AzMan to perform its’ internal policy actions. So we need to create a new XML file then copy the AzApplication node of every Web Service XML file.

  1. Open the Authorization Manager Management Console.
  2. From the AzMan MMC right click Authorization Manager.
  3. From the New Authorization Store, Select XML, then name your Store and give a brief description. Next, close the AzMan MMC.
  4. Navigate using windows Explorer to where you saved the new AzMan Store and open it with notepad. Navigate to Catalog Web Service and open the CatalogAuthorizationStore.xml file in notepad. Then copy everything from AzApplication begin tag to the end tag. Next paste the copied XML tags to your new AzMan Store. Paste the copied XML nodes between AzAdminManager begin tag and end tag.
  5. Now follow step 4 for other Web Services.

Now you can manage one file rather than four different store to ease administration.

Comments (8)

  1. Prashant says:

    Can we retrieve the role/task/operation information in commerce server? e.g. i want to know the whether the user is in particular role or not and whether user has particular rights?

  2. MSDN Archive says:

    Yes there is a method called GetAuthorizedTasks. This method returns a DataSet object that describes the tasks that the current user is authorized to perform in the catalog system.

    Good luck,


  3. roger says:

    I can retrive single profile but How to retrieve all profiles in user object?

  4. MSDN Archive says:

    Do you mean using Customer and Order Manager? What method are you using to get this data? If you are using the UI then select Profiles from Views then select “User Object” form Look in then select Data Created from Look for and finally enter a date that you know is very early like 1/1/1900.

    I would be careful this type of data might be to large you should try and get pageable results.

    One last thing the Web Service is set by default to return only 500 records anything more and you might see timeout issues.


  5. Prashant says:

    I want to setup development environment for commerce server where multiple developers can code for single commerce server. For this, I have installed Commerce Server on one machine where i have created some custom profiles now i want to access these profiles on different machine of developers using If possible please provide useful link for this problem. Thanks in Advance.

  6. MSDN Archive says:

    There are three ways to setup developer environments:

    – Distributed

    – Central

    – Mixed (Central and Distributed)

    In your case you may want to setup your profiles database on a remote SQL Server then point all of your developer systems profiles connection string to the remote server.

    When I have some time later I will blog about this :).

    Good luck,


  7. Jay says:

    Is it possible to use the AzMan for cusomt windows based applications.

    I mean can we use it to hide menus depending upong the role of a person who logs into the application ?


  8. MSDN Archive says:

    Yes, that’s how Catalog Manager and other busness UIs work. Downlaod the Partner SDK and look at the code there and see how it was done.


Skip to main content