Authorization rules are scripts written in VBScript or JScript that you can include in role definitions and task definitions. An authorization rule determines whether the role or task is allowed.
By using authorization rules, you can base authorization decisions on any condition that a script can test. These may include privileges and permissions, time of day, billable expense limits, account balances, or other criteria.
Authorization Manager is not designed for writing or debugging authorization rules. You can write your scripts in a text editor (for example, Notepad), in an integrated development environment such as Visual Studio .NET, or in another application of your choice. Authorization rules are usually written by professional developers.
More information about creating authorization rules and using the Authorization Manager application programming interfaces (APIs, see Authorization Manager Model (http://go.microsoft.com/fwlink/?linkid=64027). For additional suggested links, see Resources for Authorization Manager.
Controlling the use of business rules and authorization rules
Controlling use on each client
Beginning with Windows Server 2008, the use of business rules and authorization rules can be controlled by a registry setting. Rules are disabled by default. Previous versions of Windows did not support this functionality.
Generally, you will use a setup program or a script run by the operating system to enable authorization rules and business rules if they are in use in your environment.
|
Important |
|
This setting is controlled individually for each Authorization Manager application on each client. |
The following is a sample script that enables or disables business rules and application rules for an application:
'
' Enabling or disabling BizRules for
an application
' This script uses Authorization Manager
Administrative interfaces to enable or disable
' BizRules for a specified Authorization Manager
application in a specified Authorization Manager policy
store
On Error Resume Next
Set objArgs = WScript.Arguments
If objArgs.count <> 3 then
wscript.echo "Usage: SetBizRule ""AzManStoreURL""
""AzApplicaitonName"" True/False"
wscript.echo "Example: SetBizRule
""msxml://d:\inetpub\wwwroot\AzStore.xml"" ""MyApp"" True"
wscript.echo "Run with 'cscript' command in
cmd.exe to avoid msg boxes"
Else
' VBScript source code
Dim AzStoreObj
Dim AzManStoreURL : AzManStoreURL =
objArgs(0)
Dim AzManAppName : AzManAppName =
objArgs(1)
Dim BizRulesEnabled : BizRulesEnabled =
objArgs(2)
' create azman object
Set AzStoreObj =
CreateObject("AzRoles.AzAuthorizationStore")
If Err.Number > 0 Then
WScript.Echo "Can not create
AzRoles.AzAuthorizationStore. Check Authorization Manager
installation"
WScript.Quit
End If
' initialize store for Administration
' assumes store exists - if store is being
created (e.g. an installing applicaion)
' use the value 3 instead of 2 in the call to
IAzAuthorizationStore::initialize
Err.Clear
AzStoreObj.Initialize 2, AzManStoreURL
If Err.Number <> 0 Then
WScript.Echo "AzRoles.AzAuthorizationStore failed
to initialize. Check store URL"
WScript.Quit
End If
' open applicaion
set AzApp =
AzStoreObj.OpenApplication(AzManAppName)
If Err.Number <> 0 Then
WScript.Echo "AzRoles.AzAuthorizationStore failed
to open application: " + AzManAppName + ". Check application
Name."
WScript.Quit
End If
' set BizRulesEnabled property
WSCript.Echo "App BizRule Before:" &
AzApp.BizRulesEnabled
AzApp.BizRulesEnabled = BizRulesEnabled
WSCript.Echo "App BizRule After:" &
AzApp.BizRulesEnabled
If Err.Number = 0 Then
WScript.Echo "BizRulesEnabled is updated
successfully."
Else
WScript.Echo "BizRulesEnabled is NOT updated
successfully."
End If
End if
Controlling use for the entire authorization store
By configuring the authorization rule limits on the Limits tab of the authorization store properties sheet, you can:
- Disable authorization rules and business
rules for the store.
- Set a timeout value to limit the maximum
length of time to allow a script to run.
- Allow scripts to run with no timeout.
For more information, see Understanding Authorization Manager Store Limits.
VBScript example
The following is a VBScript authorization rule that always grants permission:
AzBizRuleContext.BusinessRuleResult = True
For more information about VBScript, see VBScript (http://go.microsoft.com/fwlink/?linkid=65964).
JScript example
The following is a JScript authorization rule that always grants permission:
AzBizRuleContext.BusinessRuleResult = true;
For more information about JScript, see JScript (http://go.microsoft.com/fwlink/?linkid=65963).