Role-based access control enables you to assign users to roles and to keep track of what permissions have been given to each role. You can also apply very specific control by using scripts called authorization rules. Authorization rules enable you to control the relationship between access control and the structure of your organization.
Authorization Manager can help provide effective control of access to resources in many situations. Generally, two categories of roles often benefit from role-based administration: user authorization roles and computer configuration roles.
- User authorization roles are based on
a user's job function. You can use authorization roles to authorize
access, to delegate administrative privileges, or to manage
interaction with computer-based resources. For example, you might
define a Treasurer role that includes the right to authorize
expenditures and audit account transactions.
- Computer configuration roles are based
on a computer's function. You can use computer configuration roles
to select features that you want to install, to enable services,
and to select options. For example, computer configuration roles
for servers might be defined for Web servers, domain controllers,
file servers, and custom server configurations that are appropriate
to your organization.
Using developer mode and administrator mode in Authorization Manager
With Authorization Manager, you can use the following two modes:
- Developer mode. In developer mode, you
can create, deploy, and maintain applications. You have
unrestricted access to all Authorization Manager features.
- Administrator mode. This is the
default mode. In administrator mode, you can deploy and maintain
applications. You have access to all Authorization Manager
features, but you cannot create new applications or define
operations.
Commonly, Authorization Manager is used by custom applications written for a specific purpose in your environment. These applications usually create, manage, and use an authorization store by calling the Authorization Manager application programming interfaces (APIs). In that case, you do not need to use developer mode. For more information about using Authorization Manager programmatically, see Resources for Authorization Manager.
When you use developer mode, it is recommended that you run Authorization Manager in developer mode only until the authorization store, application, and other necessary objects are created and configured. After you initially set up Authorization Manager, run Authorization Manager in administrator mode. For more information about using developer or administrator mode, see Set Authorization Manager Options.
Comparing Authorization Manager to other management tools
You can use Authorization Manager to implement multiple configuration and permission changes at once. Other management tools available with this version of Windows can also be used to configure access permissions, sometimes in ways comparable to Authorization Manager. These include:
- Access control lists. Access control
lists (ACLs) on the Security properties tab can be used to
manage access control policy for objects stored in Active Directory
Domain Services (AD DS), Active Directory Lightweight
Directory Services (AD LDS), and Windows objects.
Authorization Manager differs from the Security properties tab by
letting you base your access control on roles (usually based on
particular job tasks), not just on group membership, and by
tracking the permissions that have been granted.
- Delegation of Control Wizard. The
Delegation of Control Wizard also sets multiple permissions
automatically; however, unlike Authorization Manager, it does not
provide a method to track or remove permissions that have been
granted.
Additional references