Role Based Security Using Authorization Manager in Windows Server 2003

Authorization Manager in Windows 2003 is the more flexible, scalable and easier administration tool for role based security. Using Authorization Manager we can define roles and the tasks that roles can perform. We can create roles that inherit the characteristics of other roles and application groups. We can also use scripts to change the permissions dynamically.  The security policy can be stored in Active directory or as XML file. To check the access permissions, Authorization Manager provides easy API.

Authorization Manager is commonly called as AzMan. This can be used in any application that needs role based authorization. The only concern is that this feature is available only in Windows Server 2003 and will ship with feature releases of the Operation System. There are two parts of Azman. First one is the Runtime provided by Azroles.dll which exposes the COM interface used by applications and the second one is the Administration UI which is an MMC snap in. You can try this by running Azman.msc or by adding Authorization Manager in the MMC console. All permissions created in the Authorization Manager are stored in the Information Store which can be in the form of XML file or can be Active Directory. Following diagram is the logical flow of the working model of Authorization Manager.     

AuthMan1.gif

Following are steps involved in creating the store, application, operations, tasks, assigning operations to tasks, define roles, assign operations to roles, assign roles to applications, assign users/ user groups to roles and create scope.

AuthMan2.gif

The Following diagram shows the access check logic involved in the authorization mechanism.

AuthMan3.gif

Now let's go by an example. Assume that we are going to create an intranet web application which involves different modules for the Finance department, Human Resource department and Project management. Person in one department should be allowed to access only the module in which he belongs to. Let's see how we can create Operations, Tasks and Roles and other required activities in Authorization Manager to control all this.

Step 1

Click on the start menu and choose run option

Type AzMan.msc and click OK, this command will open authorization manager
 
AuthMan4.gif

Step 2

Choose the Action menu and click on the options, a dialog box with developer or administrator mode opens. Choose the developer mode.

AuthMan5.gif

Step 3

Choose the Action menu and click on the new authorization store. User will get the option to create XML or Active Directory authorization store. Here I have chosen XML Authorization store.

Specify the location for the XML file and enter some description if required.

AuthMan6.gif

Step 4

Click on the action menu again and select New Application option.

AuthMan7.gif

Step 5

I named the new application as "SatheeshApp" with some description and versioned it as 1.0.

AuthMan8.gif

Step 6 

Expand the application and select Operation Definition under Definitions folder. Now select the Action menu or place the cursor on the right pane and right click to open the context menu. Select the option to create new operation definition. Specify Name, Description and Operation number for the new operation. Let's create the operation as "Operation_ModifySalaryDetails". This is for the people in the Finance Department who can access the module to modify employee salary details. Like this create two more operations for the Project managers and Human resource people for their respective operations such as "Operation_ModifyEmployeeInformation" and "Operation_CreateModifyProjectDetails". Make sure you are giving a unique operation number for each operation that you create.  
 
AuthMan9.gif

AuthMan10.gif

Step 7

Now Select the Task Definitions folder and select New Task under Action menu or right click and choose the option for creating new tasks. Each task that we create here will have one or more operations associated to it. Task can also have tasks in it. Let's give a unique name for the task and a description for the task and say ok to create it. 

AuthMan11.gif

Step 8

Select the new task created and then choose the option for the definitions. Under the definition tab click on add and select the respective operations for the task. For the task "Tasks_HumanResource", I selected the operation "Operation_ModifyEmployeeInformation". Like this select each task and assign the respective operations to it.

AuthMan12.gif 

AuthMan13.gif

Step 9

Now we have all the operations and tasks defined for each module.

AuthMan14.gif

Step 10

Now select the role definitions under the definitions folder and create new roles as "Project managers", "Finance Managers", "Human Resource" with description for each. 

AuthMan15.gif

AuthMan16.gif

Step 11

Select each role and choose the option to assign tasks to it. Now choose the respective tasks for the role defined. For example, I have chosen the task "Tasks_ProjectManagement" for the "Project Managers" role as the project managers are allowed to perform only the project management related operations.

AuthMan17.gif

Step 12

In previous step we have defined the common roles and the tasks for each role. Now we have to assign only the roles which are suitable for the application we have created. All the roles that are defined may not be suitable for our application. Select the "Role Assignments" folder under the application folder and then choose the menu option Action -> Assign Roles... Now select required roles which are suitable for the application from the list. You can see the figure in Step 15 which shows the roles assigned to the application.

AuthMan18.gif

Step 13

We have defined the operations, tasks and roles. We have assigned the respective roles to the application. Now we have to assign the windows users and create groups for the roles that we have defined.  Choose the folder "Groups" under the application (in our case SatheeshApp ) folder and then right click and choose the option to create New application Group. Name the application group with a description and say ok to it. Now right click on the application group that you created and select properties. In properties windows, select members tab and click on the option "Add Windows Users and Groups..." and add all users who are part of the respective departments. For example, create a Human resource application group and add all human resource people under that group. 

AuthMan19.gif

AuthMan20.gif 

AuthMan21.gif

Step 14

We have defined all the required things for our role based security. Now we have to somehow link the Roles with the application groups. Then only we can find out the role and operation permission for the user who logs in to the system. Select the role which we have assigned to the application (under the folder role assignments). Now right click the role and choose the option to assign the Application Groups to assign users/ user groups to the respective roles.  

AuthMan22.gif

Step 15

We have completed defining the role based security for the application. Now we have to create scope, if required. Here the scope means grouping the above definitions. For example, let's say my office has branch in US and UK. The human resource people at US should be able to access only the module/Details of the US Employees. They should not be allowed to use the modules which are to UK branch office only. In this case we can create scopes (for US and UK separately) for the application and define the roles and operations for that scopes. So when the user logs in then we can check his/her permissions under the respective scope and redirect the user accordingly. The following figure shows how we can create the scope and define the permissions. 

AuthMan23.gif
  
AuthMan24.gif

Step 16

We have the role based security defined in the Authorization manager.  Now let's see how we can make use of it in the application by using a simple web application.  

Create a new c# web application.

Add reference to "Microsoft.Interop.Secuirty.AzRoles.dll". This one has the APIs to access the Authorization manager store and the permissions.

Now add a code file to the project with the name CheckAccess to have the business logic in it. In the configuration file (web.config), specify the location of the authorization store XML file. Add a resource file to store all operations name and the operations IDs.  The following image shows the resource file with the Operations name and the ID.

AuthMan25.gif 

Open CheckAccess code file, remove all code in it and include the following c# code to it.

using System;

using System.Data;

using System.Configuration;

using System.Web;

using System.Web.Security;

using System.Web.UI;

using System.Web.UI.WebControls;

using System.Web.UI.WebControls.WebParts;

using System.Web.UI.HtmlControls;

using Microsoft.Interop.Security.AzRoles;

using System.Runtime.InteropServices;

 

 

/// <summary>

/// Summary description for CheckAccess

/// </summary>

 

namespace BusinessComponent

{

    public class CheckAccess

    {

                   # region Constants

 

                       public enum ScopeName

                       {

                             GENERAL = 0,

                             ENGINEERING = 1,

                  BUSINESSINTELLIGENCE = 2,

                  BPO = 3

                       }

 

                   #endregion

 

                   # region Methods

 

                   public bool CheckAccessPermissions(HandleRef token, string name, ScopeName scopeName, int operationID)

                   {

                            

                             AzAuthorizationStore authorizationStore = new AzAuthorizationStoreClass();

                             authorizationStore.Initialize(0, ConfigurationSettings.AppSettings["AuthorizationStorePath"], null);

                             IAzApplication iazApplication = authorizationStore.OpenApplication("SatheeshApp", null);

                             IAzClientContext context = iazApplication.InitializeClientContextFromToken((UInt64)token.Handle, 0);

                             object results = new object[1];

                             Object[] operation = new Object[1];

                             Object[] scope = new Object[1];

                             Object[] names = new Object[1];

                             Object[] values = new Object[1];

                             operation[0] = operationID;

                             if (scopeName == ScopeName.GENERAL)

                             {

                                      scope[0] = "GENERAL";

                             }

                             names[0] = "";

                             values[0] = "";

                             try

                             {

                                      results = context.AccessCheck(name, scope, operation, names, values, null, null, null);

                                      object[] returnResults = (object[])results;

                                      if (returnResults[0].ToString() == "0")

                                      {

                                                return true;

                                      }

                                      else

                                      {

                                                return false;

                                      }

                             }

                             catch (Exception ex)

                             {

 

                                      // Handle Exception

                                     

                             }

                   }
  
The method CheckAccessPermissions uses four parameters as below

  • Token - user context
  • Name - operation name 
  • Scope - current scope (Default is General) 
  • ID   - operation ID

The method context.AccessCheck is the API for accessing the permissions in the authorization store. This one first checks the user's application group and then checks the roles for which the application group is assigned. Lastly it checks for the operation ID assigned to that particular role. This method returns true if the operation is present which means that the user is allowed to perform the operation.    

Lets see an example of how we can call this method from the web page to see whether the user has permission for that page or not. Rename the Default.aspx and the Default.aspx.cs file to ModifyEmployeeInformation.aspx and ModifyEmployeeInformation.aspx.cs. Now open the code file and replace the code with the following.

using System;

using System.Data;

using System.Configuration;

using System.Web;

using System.Web.UI;

using System.Web.UI.WebControls;

using System.Web.UI.WebControls.WebParts;

using System.Web.UI.HtmlControls;

using System.Web.Security;

using System.Runtime.InteropServices;

using System.Configuration;

using BusinessComponent;

 

public partial class _Default : System.Web.UI.Page

{

    protected void Page_Load(object sender, EventArgs e)

    {

            CheckAccess accessCheckObj;

                             bool hasAccess = false;

                             accessCheckObj = new CheckAccess();

                             //Get user Token

                             HandleRef token = new HandleRef(this, ((HttpWorkerRequest)((IServiceProvider)Context).GetService(typeof(HttpWorkerRequest))).GetUserToken());

            // This code will check the access permission for the logged in user for Modifying Employee Information

                             try

                             {

                             hasAccess = accessCheckObj.CheckAccessPermissions(token

                                                                             , Resources.Operations.ModifyEmployeeInformation.ToString()

                                                                                      , AccessCheck.ScopeName.GENERAL

                                                                                       , Convert.ToInt32(Resources.Operations.ModifyEmployeeInformationID.ToString()));

                // if has Access is true then the user has the permission to proceed and perform the operation

                // else he/she should be redirected to the access denied page

                             }

            catch (Exception ex)

                             {

                                      // Handle Exception

                             }

    }

}

When the page gets loaded, the page load event checks the user's permission for accessing this page. Depending on the result, you can furthur have your own code to handle it. I have written the code to check the permission in the page load event but it should actually be done  before loading the page itself. Just for example I wrote it in the page load event.

I have attached the sample code and the authorization store xml file with this article. You can modify that and try out.

Summary 

Using authorization store for role based security reduces lot of coding work. Also it has the flexibility of storing the information in XML file or Active directory. AuthMan is more preferred when we use Windows 2003 as the application server. There are lot more dynamic things that we can do using Authorization manager. Visit msdn for more details on Authorization manager. 


Similar Articles