Role-based access control enables you to assign users to roles and to keep track of what permissions have been given to each role. You can also apply very specific control by using scripts called authorization rules. Authorization rules enable you to control the relationship between access control and the structure of your organization.

Authorization Manager can help provide effective control of access to resources in many situations. Generally, two categories of roles often benefit from role-based administration: user authorization roles and computer configuration roles.

Using developer mode and administrator mode in Authorization Manager

With Authorization Manager, you can use the following two modes:

  • Developer mode. In developer mode, you can create, deploy, and maintain applications. You have unrestricted access to all Authorization Manager features.

  • Administrator mode. This is the default mode. In administrator mode, you can deploy and maintain applications. You have access to all Authorization Manager features, but you cannot create new applications or define operations.

Commonly, Authorization Manager is used by custom applications written for a specific purpose in your environment. These applications usually create, manage, and use an authorization store by calling the Authorization Manager application programming interfaces (APIs). In that case, you do not need to use developer mode. For more information about using Authorization Manager programmatically, see Resources for Authorization Manager.

When you use developer mode, it is recommended that you run Authorization Manager in developer mode only until the authorization store, application, and other necessary objects are created and configured. After you initially set up Authorization Manager, run Authorization Manager in administrator mode. For more information about using developer or administrator mode, see Set Authorization Manager Options.

Comparing Authorization Manager to other management tools

You can use Authorization Manager to implement multiple configuration and permission changes at once. Other management tools available with this version of Windows can also be used to configure access permissions, sometimes in ways comparable to Authorization Manager. These include:

  • Access control lists. Access control lists (ACLs) on the Security properties tab can be used to manage access control policy for objects stored in Active Directory Domain Services (AD DS), Active Directory Lightweight Directory Services (AD LDS), and Windows objects. Authorization Manager differs from the Security properties tab by letting you base your access control on roles (usually based on particular job tasks), not just on group membership, and by tracking the permissions that have been granted.

  • Delegation of Control Wizard. The Delegation of Control Wizard also sets multiple permissions automatically; however, unlike Authorization Manager, it does not provide a method to track or remove permissions that have been granted.

Additional references