With Authorization Manager, you can provide authorization services to administrators that you support by creating Authorization Manager applications that access authorization stores.

In Authorization Manager, there is neither a default authorization store nor a default application. To create an authorization store, you must work in the Authorization Manager developer mode. For more information about working in developer mode, see Set Authorization Manager Options.

You can store authorization stores in either XML files, Active Directory Domain Services (AD DS), Active Directory Lightweight Directory Services (AD LDS), or in Microsoft SQL Server databases.

The following table compares the different authorization store types.

Authorization store type Delegation support Authorization store is specified by Requirements


Supported at the authorization store, application, and scope levels

A URL, beginning with the protocol prefix MSLDAP:// or an LDAP distinguished name (for example, CN=myStore,CN=Program Data,DN=nwtraders,DN=com)

The domain functional level must be Windows Server 2003 or higher.


In Windows 2000, Active Directory does not support authorization stores.


Not supported

The XML file is secured as a whole by its NTFS file system access control entries (ACEs).

A URL beginning with the protocol prefix MSXML:// or a path (for example, C:\Temp\MyStore.xml or \\ServerName\ShareName\MyStore.xml)

Any NTFS partition

SQL Server

Supported at the authorization store, application, and scope levels

A URL beginning with the protocol prefix MSSQL:// followed by a connection string, database name, and policy store name, in the format: MSSQL://<connection string>/<database name>/<policy store name>

At least Microsoft SQL Server 2000

An application is specific to an authorization store, and it is always located directly under its parent authorization store in Authorization Manager. For more information, see Create an Authorization Manager Application.

Scopes, roles, tasks, and operations are always specific to an application. For more information, see Understanding Authorization Manager Scopes and Understanding Authorization Manager Role, Task, and Operation Definitions.

Using application groups

An application group is a group of users of an Authorization Manager application. You can create application groups at any of the three levels in the Authorization Manager console. The following table lists the different Authorization Manager levels where you can create application groups.

Level Application group can be used in

Authorization store

The authorization store, and applications and scopes within it


The application and scopes within it


The scope

For more information about application groups, see Understanding Authorization Manager Application Groups.

Delegating authorization stores and applications

Authorization stores that are stored in AD DS, AD LDS, or SQL Server support delegation. This means that you can authorize other people to administer those authorization stores or applications contained in those authorization stores.

For more information about performing delegation, see Allow Other Users to Administer an Authorization Store.