In Authorization Manager, recipients of authorization policy are represented by the following different kinds of groups:


An application group is a group of users, computers, or other security principals. An application group is not a group of applications.

Windows users and groups

For more information about groups in Active Directory Domain Services (AD DS), see Role-Based Access Control for Multi-tier Applications Using Authorization Manager ( For more information about security principals that are not stored in AD DS, see the Security Principals Technical Reference (

Application groups

When you create a new application group, you need to determine whether you want it to be an LDAP query group or a basic application group. For Authorization Manager role-based applications, any authorization you can do with Windows users and groups can also be done with application groups.

Circular membership definitions are not allowed, and result in the error message "Cannot add <Group name>. The following problem occurred: A loop has been detected."

LDAP query groups

In Authorization Manager, you can use LDAP queries to find objects in AD DS, Active Directory Lightweight Directory Services (AD LDS), and other LDAP-compliant directories.

You can use an LDAP query to specify an LDAP query group by typing the desired LDAP query in the space provided on the Query tab of the Properties dialog box of the application group.

Authorization Manager supports two types of LDAP queries that can be used to define an LDAP query group: Authorization Manager version 1 queries and LDAP URL queries.

  • Authorization Manager version 1 LDAP queries

    Version 1 LDAP queries provide limited support for the LDAP URL query syntax described in RFC 2255. These queries are limited to querying the attribute list of the user object specified in the current client context.

    For example, the following query finds everyone except Andy:


    This query evaluates if the client is a member of the StatusReports alias at

    (memberOf=CN=StatusReports,OU=Distribution Lists,DC=nwtraders,DC=com)

    Authorization Manager continues to support version 1 queries so that solutions developed by using earlier versions of Authorization Manager can be upgraded with less effort.

  • LDAP URL queries

    In order to remove limitations on objects and attributes that can be searched, Authorization Manager supports an LDAP URL query syntax based on RFC 2255. This allows you to create LDAP query groups that use directory objects other than the current user object as the root of the search.

    An LDAP URL begins with the protocol prefix "ldap" and follows this format:


Distinguished name is also known as DN.


Specifically, the following grammar is supported:

	 ldapurl	= scheme "://" [hostport] ["/"
[dn ["?" [attributes] ["?" [scope]
["?" [filter]]]]]]
scheme = "ldap"
attributes = attrdesc *("," attrdesc)
scope = "base" / "one" / "sub"
dn = distinguishedName
hostport = hostport
attrdesc = AttributeDescription
filter = filter

For example, the following query returns users whose company attribute is set to "FabCo," from the LDAP server running on port 389 on a host named "fabserver":


When using an LDAP URL query, you can use the special placeholder value %AZ_CLIENT_DN%. This placeholder is replaced with the distinguished name (DN) of the client making the access check. This allows you to construct queries which return objects from the directory based on their relationship to the distinguished name of the client making the request.

In this example, the LDAP query tests whether the user is a member of the "Customers" OU:

ldap://server:<port>/OU=Customers,DC=FABCO-PN,DC=com?(objectclass=*)?sub?(& (objectClass=user)(objectCategory=user) (distinguishedName= %AZ_CLIENT_DN% ))

In this example, the LDAP query tests whether the user is a direct report of a manager named "SomeManager" and that the "searchattribute" of SomeManager is equal to the particular value "searchvalue":

ldap://server:port/Cn=SomeManager,OU=Users,DC=FABCO-PN,DC=com?(objectclass=*)?base?(&(searchattribute= searchvalue) (directreports = %AZ_CLIENT_DN%))

For more information about the syntax of an LDAP URL query, refer to the text of RFC 2255 (


If the LDAP query starts with "ldap," it is treated as an LDAP URL query. If it starts with anything else, it is treated as a version 1 query.

Basic application groups

Basic application groups are specific to Authorization Manager.

To define basic application group membership, you need to:

  1. Define who is a member.

  2. Define who is not a member.

Both of these steps are carried out in the same way:

  • First, you specify zero or more Windows users and groups, previously defined basic application groups, or LDAP query groups.

  • Second, the membership of the basic application group is calculated by removing any nonmembers from the group. Authorization Manager does this automatically at run time.


Non-membership in a basic application group takes precedence over membership.

Business rule application groups

Business rule application groups are specific to Authorization Manager.

To define business rule application group membership, you must write a script in either VBScript or JScript. The script source code is loaded from a text file on the Properties page of the business rule application group.