Re: Role based security - where are permissions/operations ?
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: Wed, 20 Oct 2004 09:28:48 -0500
Dominick has a good point here. Non-Windows SIDs can be used with AzMan.
There is also a QFE avialable now that makes it work with ADAM SIDs that you
It sounds like the storage of the data is still your biggest issue. Perhaps
using ADAM would work if AD isn't available though. It is free to
redistribute with server 2K3, so perhaps you could off that as an option.
It would make sense for AzMan to support storing the policy data in SQL
Dominick, can you help me understand one other point? With non-Windows
SIDs, don't you lose the benefit of Windows groups integration with AzMan
role mapping? If so, doesn't that mean you have to map each individual SID
into its AzMan roles? It seems like that would become a management
nightmare with lots of accounts. Am I missing something here?
"Dominick Baier" <firstname.lastname@example.org> wrote in message
> first of all - AzMan does also work with non-Windows account, because you
> can also use Custom SIDs  in the Authorization Store.
> A compromise between a local XML File and AD could be a local/remote ADAM
>  (Active Directory for Applications) instance to store the AzStore.
> Microsoft provides a framework to use AzMan in the Authorization and
> Profiling Block  - maybe you want to have a look at that also
> dominick - DevelopMentor
> Joe Kaplan (MVP - ADSI) wrote:
> > You really need to use AzMan if you want a very granular mechanism for
> > assigning permissions to your individual operations. ASP.NET will work
> > fine
> > with AzMan if you are using Windows security, so that shouldn't be a
> > problem.
> > If you can't use AzMan but want similar functionality, then you may need
> > to
> > implement your own framework that does similar stuff.
> AzMan has the functionality I need, but it's storage of data is a problem.
> Either XML file on disk - OK for development but not for production; or in
> Active Directory, which not all customers will have or want. If AzMan
> could store it's data in SQL Server, that would be ideal, but it doesn't
> seem to support this, so doesn't integrate well with database
> applications. The ASP.NET v2.0 role manager does integrate well with SQL
> Server, but lacks the functionality of AzMan.
> It looks like granular permission checking for true role based access
> control (RBAC), which also integrates well with SQL Server, will need
> custom coding, and isn't something that appears to be addressed in ASP.NET
> Am I missing something here ? This would appear to be a very common need,
> so I find it hard to believe that .NET doesn't provide a solution for
> this, other than "code-it-yourself".
> Andy Mackie.