Re: AzMan Still the way to go?
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 24 Aug 2006 19:40:32 -0500
The main idea with AzMan is the concept of programming against operations.
Operations are very granular things that should have no overlap in usage.
By grouping operations into tasks and tasks into roles and then mapping
principals (users and groups) to roles, you have a very power model for
defining authorization in your app. Since you program directly to the
operations, your code doesn't need to know what roles a user has and that
can be changed by the administrator at runtime. In fact, someone could
define a completely different set of roles to consume the operations you use
in your code and you wouldn't need to change any code at all. That's where
the real power lies.
The main idea behind the XML store is that you need a place to store the
authorization policy and not everyone can stick it in ADAM or AD. Because
it is a hierarchical data model, XML makes good sense as a file-based
storage mechanism. If you were just storing a list of roles, then it
wouldn't be as compelling. Having a text-based file as the policy store
makes a lot of sense from a source control standpoint as well.
Whether or not you have enough authorization to do to warrant AzMan is
another question. It is a powerful model, but it is also complex and is
probably overkill for simple things. If you just have a role or two and the
operations they protect don't overlap or aren't likely to change, then it
probably isn't warranted.
Another nice thing about AzMan is that it supports arbitrary principals, not
just Windows users. For your application (intranet), you'll probably be
most interested in consuming Windows principals for security, but lots of
other people need to store their users in SQL and/or ADAM, and having that
flexibility is very helpful.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"John Graham" <jdgraham2@xxxxxxxx> wrote in message
news:1156435600.158800.131560@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I've been reading a bunch on the Roles based set-ups people are using,
and am sort of at an impass. Meaning, I need to stop reading and start
coding.
Brief background, I am starting fresh with an intranet, and was
planning on having the whole site use IIS windows authentication.
However I keep reading about folks still using the Form login with
windows authentication, am I misunderstand how they are implimenting
their setups?
I've started playing around with AzMan, and as I understand it, it's
simply just a connection between a person's AD account and what roles
they are assigned to. Correct? If that's the case, why use an
enternal XML file for AzMan? Couldn't that be stored in SQL? or is it
better to have the portability of the XML.
I'm hesitant to jump in with both feet without having the security in
place.
John
.
- Follow-Ups:
- Re: AzMan Still the way to go?
- From: MikeS
- Re: AzMan Still the way to go?
- References:
- AzMan Still the way to go?
- From: John Graham
- AzMan Still the way to go?
- Prev by Date: Re: AzMan Still the way to go?
- Next by Date: Re: AzMan Still the way to go?
- Previous by thread: Re: AzMan Still the way to go?
- Next by thread: Re: AzMan Still the way to go?
- Index(es):
Relevant Pages
|
|
