To use Authorization Manager effectively to control access to resources, you must first define roles, tasks, and operations.
- A role is a set of permissions that a user
must have to do a job. Well-designed roles should correspond to a
job category or responsibility (for example, receptionist, hiring
manager, or archivist) and be named accordingly. With Authorization
Manager, you can add users to a role to authorize them for the
- A task is a collection of operations and
sometimes other tasks. Well-designed tasks are inclusive enough to
represent work items that are recognizable (for example, "change
password" or "submit expense").
- An operation is a set of permissions that you
associate with system-level or API-level security procedures such
as WriteAttributes or ReadAttributes. You use operations as
building blocks for tasks.
You can define roles, tasks, and operations only in developer mode, not in administrator mode. To set developer mode, see Set Authorization Manager Options.
Creating appropriate role definitions depends on the structure and goals of your organization. Roles support inheritance from other roles.
To define a role, you specify a name, a friendly description, and some specific tasks, roles, and operations that are part of the role. This provides a mechanism for role inheritance. For example, a Helpdesk role might include a Product Support role.
You can specify an authorization rule, which may be either VBScript or JScript. For more information, see VBScript (http://go.microsoft.com/fwlink/?linkid=65964) and JScript (http://go.microsoft.com/fwlink/?LinkId=65963).
If there are several authorization rules associated with a role definition (for example, the role definition has several subroles and tasks), the authorization rules run synchronously. In Authorization Manager, the order has no effect on authorization.
A task definition is smaller than a role definition and can be used to define roles and other tasks.
With Authorization Manager, you associate tasks with roles in an intuitive way. For example, the Recruiter role might include the Interview task.
Tasks, like roles, are defined in a way that is appropriate to the organization. To define a task, you specify a name, a description, and some specific tasks and operations that are part of the task. You can also specify a VBScript or JScript authorization rule.
Operations are small computer-level actions that are used to define tasks and usually are not relevant to an administrator. You define operations only in developer mode.
You can set operation definitions at the application level, but not at the authorization store level or the scope level.
An operation definition includes a name, a description, and an operation number. The operation number X must be an integer from 1 to 2,147,483,647 (that is, 1 ≤ X ≤ 2^31 - 1). The operation number is used by the application to identify the operation, so entering a wrong operation number will result in access being granted or denied incorrectly. This, in turn, could lead to security violations or undesired behavior of the client application.