Exploring Windows 2003 Security: Authorization Manager: Page 2
Inside the Administrator and Developer ModesAuthorization Manager can operate in two modes administrator and developer. You can switch between them by choosing the Option item from the Action (or context-sensitive) menu when the Authorization Manager top node is selected. Administrator mode permits managing existing applications. Developer mode includes all capabilities granted in administrator mode, but also allow for creating new authorization stores and new applications.
Administrator mode is the default and you should treat it as such, switching to developer mode only when necessary. Note that a number of actions might require appropriate privileges (e.g., the capability to create an Active-Directory based authorization store depends on having sufficient permissions to a target container).
Steps for Setting Up an Application
In order to set up a new application with Authorization Manager, follow the following steps:
- Start by creating an authorization store. This can be done programmatically or with the Authorization Manager MMC snap-in operating in developer mode. To switch to it from the default administrative mode, highlight the top level node in the tree pane of Authorization Manager, click on Options menu and select New Authorization Store option from the Action (or context-sensitive) menu. This will display the New Authorization Store dialog box, from where you can specify the LDAP path of the Active Directory-based store or file system path of XML file. As mentioned before, when using the Active Directory authorization store, you should create a new container under Program Data, by typing CN=MyAuthorizationStore,CN=Program Data,DC=MyDomainName, where MyAuthorizationStore would be your arbitrary choice and MyDomainName would be LDAP path of your domain's naming context (e.g. DC=serverwatch,DC=com). This would result in the creation of MyAuthorizationStore being displayed in the Authorization Manager tree window pane. When creating an XML-based authorization store, keep in mind that a volume hosting it needs to be formatted with NTFS.
- Once the authorization store is created, you should ensure that its managers have appropriate permissions. This typically involves assigning the Administrator role to their Windows accounts using the Security tab on the application Properties dialog box (for Active Directory-based authorization store) or Security tab on the authorization store Properties dialog box (for an XML-based authorization store). Note also that a service account used by an application to run needs to have assigned the Reader role (from the same Security tab).
- The next step is the creation of an application within the authorization store. As before, this can be done programmatically or with Authorization Manager MMC snap-in in developer mode. The new Application option appears in the Action (and context sensitive) menu whenever an existing authorization store is selected. You are prompted to provide the application name (which has to match the name of the managed application) and, optionally, its description and version information.
- After these preliminary steps are completed, you are finally ready to install the application on the server. The installation process would typically take care of defining a set of operations and tasks, displayed in the Authorization Manager created previously under the application node. Installation commonly creates also some pre-defined roles, although an administrator has capability to define new ones, possibly better matching custom requirements. The roles are based on either the existing set of tasks or new tasks (using operations included in the application by its developer).
- Both pre-defined and custom-created roles will not take effect until they are assigned to corresponding application or Windows groups (or users). To complete the process, right click on the Role Assignments folder under the application node in the Authorization Manager MMC snap-in and choose Assign Roles item from the Action (or context sensitive menu). This will allow you to select the role definitions for which you want to create assignments. These roles will appear under Role Assignments folder. For each of them, in turn, you can specify corresponding Application or Windows group.
When an application that was configured using Authorization Manager is launched, it loads its configuration information from the authorization store (Active Directory or XML file) and applies its rules whenever a user connects to it. User credentials are evaluated against the role assignments and, depending on the outcome, permission to perform a task requested by the user is granted or denied.