June 2, 2009

AzMan (history lesson)

Before we actually dive into code and how to use AzMan within our applications, it is important to know what AzMan is.

AzMan was rolled into Windows Server 2003 a few years ago and did not really get that much attention. When I was building an application a few years ago, I needed a fine grained approach to authorizing users. I wanted a real RBAC system and something that I would be able to use within a .NET application. I read about this COM based API called AzMan that would be able to solve my problems. It is a full RBAC system and had a backing store (at the time) of AD or XML. The breakdown was basically that a user had a Role(s) and a Role was made up of other Role(s), Task(s), or operation(s). Tasks were made up of operation(s) or other Task(s) and operations were low level "methods". Another way would be to say that a role was Executive and Executive had a task of Exec and ExecTask had an operation of DoEverything.

Most people don't remember that Microsoft actually released some open source code to help with AzMan. Back in the day before EntLib, we had Microsoft Application Blocks. One of the blocks was Microsoft.ApplicationBlocks.Security. This had some form of a wrapper around the Interop, but it was very confusing. If you look back or serach Google you may be able to find the original AzManProvider.cs that Microsoft released. At that time, I wrote a wrapper around the wrapper that Microsoft wrote! Here is what it looked like:


using System;
using System.Threading;
using System.Collections.Specialized;
using System.Security;
using System.Security.Principal;

using Microsoft.ApplicationBlocks.Security.Authorization;

namespace Microsoft.ApplicationBlocks.Security.Wrappers
{
///
/// Summary description for AuthorizationHelper.
///

public sealed class AuthorizationHelper
{
private ExtendedPrincipal principal;

public AuthorizationHelper(IIdentity ident, string auditID, String provName, string appName)
{
principal = ExtendedPrincipal.Create(ident);
Thread.CurrentPrincipal = principal;
principal.AuditIdentifier = auditID;
principal.AuthorizationProvider = provName;
principal.AuthorizationParameters.Add(AzManProvider.ApplicationName, appName);
}

public AuthorizationHelper(IIdentity ident, string auditID, String provName)
{
principal = ExtendedPrincipal.Create(ident);
Thread.CurrentPrincipal = principal;
principal.AuditIdentifier = auditID;
}

public bool CheckAccess(string scope, string operation)
{
principal.AuthorizationParameters["scope"] = scope;
principal.AuthorizationParameters["operation"] = operation;

return principal.CheckAccess();
}

public StringCollection GetRoles()
{
return principal.GetRoles();
}

public bool IsInRole(string role)
{
return principal.IsInRole(role);
}
}
}


That was some very old .NET 1.1 code and a wrapper around what Microsoft wrote. It allowed me to then do the following in my application:


AuthorizationHelper auth = new AuthorizationHelper(WindowsIdentity.GetCurrent(), "auditID", "azmanProvider", "TestApplication");

lstRoles.DataSource = auth.GetRoles();
lstRoles.DataBind();


Not the best, but it allowed me to at least get what I needed. From that point though, I ran into many issues with AzMan and also as newer versions of .NET came out my code changed dramatically. I'll share this as I cotinute writing posts on AzMan.

No comments:

Post a Comment