AzMan, Scopes and Access Check

---

• From: PMarino <PMarino@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Fri, 15 Sep 2006 08:39:01 -0700

---

Hi - I have a question about AzMan and how access checks are handles in scopes.

My goal is to manager security in different 'contexts'. I may be a user who
has different access for different 'clients', for example. I want to use
Scopes to determine what access that use has at any given time. I want to
use Application-Level groups and roles to provide a 'default' set of
permissions and then override them based on scope.

I'm using AzMan Service Pack 1.

I have operations, tasks and roles defined at the Application level. I
create an Application Group (Adjusters), add Everyone to it, and assign it to
'Adjuster' at the Application Level. RoleA has access to ONE operation only
(for testing purposes).

I then create a scope, another Application Group (AdjustersA), add Adjusters
to it as a Member but add myself as a NON-Member. I assign the Adjuster role
within the scope, and add AdjusterA to the role. So at this point, the
Adjuster role in the scope should has Everyone But Me access.

I would think that, if I called AccessCheck for the scope with all
operations, that I would not have access, because of the entry in the
NON-Member. This is not the case though.

I would think that this is a pretty serious issue - shouldn't the Exclusion
override any Inclusion?

Note that I get the expected behavior at the Application Level, or if I
remove the role assignment at the application level. Any thoughts? I'm
currently thinking of different ways to do this, but I'm wondering if this is
expected behavior.

Included is my XML store file:

<?xml version="1.0" encoding="utf-8"?>
<AzAdminManager MajorVersion="1" MinorVersion="0">
<AzApplication Guid="c9a5d621-f40d-4f02-a5e2-ff0f9db437ef"
Name="TestApplication" Description=""
ApplicationVersion=""><AzApplicationGroup
Guid="5d7d3f65-4b55-41a5-ab62-5e99734ef20c" Name="Adjusters" Description=""
GroupType="Basic"><Member>S-1-1-0</Member></AzApplicationGroup><AzApplicationGroup
Guid="75bbba46-16b0-4d39-9d3c-6d741204bfe0" Name="Supervisors" Description=""
GroupType="Basic"><Member>S-1-5-21-823518204-879983540-682003330-5762</Member></AzApplicationGroup><AzApplicationGroup
Guid="1a263583-aace-450b-9e8e-9e67afbb00e4" Name="Administrators"
Description=""
GroupType="Basic"><Member>S-1-5-21-823518204-879983540-682003330-5786</Member></AzApplicationGroup><AzOperation
Guid="fb5bbaf5-38a2-438e-80b9-aa5586db9163" Name="Add Claim"
Description=""><OperationID>1</OperationID></AzOperation><AzOperation
Guid="fb05c670-3717-4160-b9dc-3aa7ab0b659f" Name="Save Claim"
Description=""><OperationID>2</OperationID></AzOperation><AzOperation
Guid="253725db-6071-4d0a-b895-187ac0d8a2ca" Name="Set Reserves"
Description=""><OperationID>3</OperationID></AzOperation><AzOperation
Guid="072c0d11-ff0f-435f-befd-93bf5fdf9c9e" Name="Edit Reserves"
Description=""><OperationID>4</OperationID></AzOperation><AzOperation
Guid="82976c25-3390-4f55-90ef-17a93f93a2d0" Name="Add Client"
Description=""><OperationID>100</OperationID></AzOperation><AzOperation
Guid="18aad0b8-79d5-4d6a-a7ad-010c6d20787d" Name="Edit Client"
Description=""><OperationID>101</OperationID></AzOperation><AzOperation
Guid="2c433af0-7c30-4f24-a6c6-997f050b18e2" Name="Delete Client"
Description=""><OperationID>102</OperationID></AzOperation><AzOperation
Guid="d0e5b5b5-2408-414c-ad1b-f92ba1a0068d" Name="Add Code"
Description=""><OperationID>200</OperationID></AzOperation><AzOperation
Guid="7c998b4b-389a-49e3-b857-b02b18a73e0f" Name="Edit Code"
Description=""><OperationID>201</OperationID></AzOperation><AzOperation
Guid="0f106993-2a4f-4066-992c-6dee542d967a" Name="Delete Code"
Description=""><OperationID>202</OperationID></AzOperation><AzTask
Guid="883147a9-f740-4c8d-9fbc-f53fa1002353" Name="Add Claim Task"
Description=""
BizRuleImportedPath=""><OperationLink>fb5bbaf5-38a2-438e-80b9-aa5586db9163</OperationLink></AzTask><AzTask
Guid="3b1c67f9-adeb-4673-8e4f-1f5d8b2ec17c" Name="Edit Claim Task"
Description=""
BizRuleImportedPath=""><OperationLink>072c0d11-ff0f-435f-befd-93bf5fdf9c9e</OperationLink><OperationLink>253725db-6071-4d0a-b895-187ac0d8a2ca</OperationLink><OperationLink>fb05c670-3717-4160-b9dc-3aa7ab0b659f</OperationLink></AzTask><AzTask
Guid="1d090c3f-5856-4a2e-bce7-6aeb5b43d019" Name="Edit Client Task"
Description=""
BizRuleImportedPath=""><OperationLink>18aad0b8-79d5-4d6a-a7ad-010c6d20787d</OperationLink><OperationLink>2c433af0-7c30-4f24-a6c6-997f050b18e2</OperationLink><OperationLink>82976c25-3390-4f55-90ef-17a93f93a2d0</OperationLink></AzTask><AzTask
Guid="1ea88888-eca0-46cc-8730-1569daf401ff" Name="Edit Code Task"
Description=""
BizRuleImportedPath=""><OperationLink>0f106993-2a4f-4066-992c-6dee542d967a</OperationLink><OperationLink>7c998b4b-389a-49e3-b857-b02b18a73e0f</OperationLink><OperationLink>d0e5b5b5-2408-414c-ad1b-f92ba1a0068d</OperationLink></AzTask><AzTask
Guid="e2ad3dfb-077f-4163-b094-a7b40eb2dadd" Name="Adjuster" Description=""
BizRuleImportedPath=""
RoleDefinition="True"><TaskLink>883147a9-f740-4c8d-9fbc-f53fa1002353</TaskLink></AzTask><AzTask
Guid="aff7e968-969a-4b5c-9048-ee1306811290" Name="Supervisor" Description=""
BizRuleImportedPath=""
RoleDefinition="True"><TaskLink>3b1c67f9-adeb-4673-8e4f-1f5d8b2ec17c</TaskLink></AzTask><AzTask
Guid="81d3d710-36c2-4c59-8405-855758578b21" Name="Administrator"
Description="" BizRuleImportedPath=""
RoleDefinition="True"><TaskLink>1ea88888-eca0-46cc-8730-1569daf401ff</TaskLink><TaskLink>1d090c3f-5856-4a2e-bce7-6aeb5b43d019</TaskLink></AzTask><AzRole
Guid="3b2fc3d7-2c5f-4207-8ff9-da2be483d9fe"
Name="Administrator"><TaskLink>81d3d710-36c2-4c59-8405-855758578b21</TaskLink><AppMemberLink>1a263583-aace-450b-9e8e-9e67afbb00e4</AppMemberLink></AzRole><AzRole
Guid="7291067d-a4c1-4804-a594-5b246d1537fd"
Name="Supervisor"><TaskLink>aff7e968-969a-4b5c-9048-ee1306811290</TaskLink><AppMemberLink>75bbba46-16b0-4d39-9d3c-6d741204bfe0</AppMemberLink></AzRole><AzScope
Guid="82651a54-ce4e-4026-b275-f6733587a796" Name="CompanyA"
Description=""/><AzScope Guid="00b0eb4a-22dc-4ba9-862b-4476bba89138"
Name="CompanyB" Description=""><AzApplicationGroup
Guid="65935043-f929-4d3c-940e-c0f5a321c10e" Name="AdjustersFGSC"
Description=""
GroupType="Basic"><AppMemberLink>5d7d3f65-4b55-41a5-ab62-5e99734ef20c</AppMemberLink><NonMember>S-1-5-21-823518204-879983540-682003330-5766</NonMember></AzApplicationGroup><AzRole
Guid="c9ef9ac2-93bd-425f-aca2-1e0f0f4f9160"
Name="Adjuster(1)"><TaskLink>e2ad3dfb-077f-4163-b094-a7b40eb2dadd</TaskLink><AppMemberLink>65935043-f929-4d3c-940e-c0f5a321c10e</AppMemberLink></AzRole></AzScope><AzRole
Guid="106ef935-76e7-4be3-b3ea-56df3a2800ea"
Name="Adjuster"><TaskLink>e2ad3dfb-077f-4163-b094-a7b40eb2dadd</TaskLink><AppMemberLink>5d7d3f65-4b55-41a5-ab62-5e99734ef20c</AppMemberLink></AzRole></AzApplication></AzAdminManager>



.

---

• Prev by Date: Re: RSACryptoServiceProvider
• Next by Date: Re: Saving config file - System.UnauthorizedAccessException
• Previous by thread: PKI in .net Program
• Next by thread: Windows Service Created Sub-process?
• Index(es):
  • Date
  • Thread

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)