none
Fine-grained authorization without Azman authstores? RRS feed

  • Question

  • We currently use Azman to restrict access to menu items in the client. When a new menu is loaded in the client, a request is sent to the server: "which of these menu items does the current user have access to?". Our application is not a public web application and communication is implemented using WCF. We save our authstores in the .xml format and do our checks server side with the Microsoft.Interop.Security.Azroles.dll.

    Microsoft - and other sources - mark the Authorization Manager tool tied to Azman as deprecated/dated but don't give a clear alternative. All I can find is recommendations to move to a claims-based architecture but then the guides about implementing a claims-based architecture recommend using Azman-authstores for fine-grained control. Most of these guides are dated, being written around 2009. What's the modern Microsoft alternative to Azman-authstores? 

    Tuesday, April 4, 2017 11:20 AM

Answers

  • Your application can then map those roles onto fine-grained permissions with tools such as Windows Authorization Manager (AzMan). But unless you've got an issuer that's specifically designed for managing fine-grained permissions, it's probably best to keep your claims at a much higher level.

    Reference: Claims-Based Architectures

    It seems AzMan is better than Cliams at RBAC.

    In my option, AzMan will continue to work on whichever OS you are currently using it on. And if you need Azman, I think you could keep using it in supported OS.


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by Stagrid Thursday, April 6, 2017 9:34 AM
    Thursday, April 6, 2017 5:01 AM

All replies

  • Hi Stagrid,

    This forum discusses and asks questions about .NET Framework Base Classes, Since your issue is more related to WCF, we'll move it WCF forum for suitable support.

    Thanks for your understanding.

    Best regards,

    Cole Wu


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Wednesday, April 5, 2017 1:56 AM
  • As you know, the recommended way is to use Claims.

    Keep in mind each OS has its own life cycle so AzMan isn’t immediately going away. We have well into 2023 before we see the last of AzMan. AzMan will continue to work on whichever OS you are currently using it on just be aware of the OS life cycle to make sure that your OS is supported and as such your implementation of AzMan.

    Reference: Hate to see you go, but it’s time to move on to greener pastures. A farewell to Authorization Manger aka AzMan

    >>then the guides about implementing a claims-based architecture recommend using Azman-authstores for fine-grained control

    Could you share us the document? According An Introduction to Claims, Cliaims implement find-grained permissions.

    What are the benefits of using claims to manage authorization in applications and services?

    It allows the use of more fine-grained permissions based on specific claims compared to the granularity achieved just using roles


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Wednesday, April 5, 2017 7:12 AM
  • My account apparently is not verified so I can't add links in my response. But I believe you can find them all by using your favorite search engine and the title + MSDN.

    In the next chapter after An Introduction to Claims, namely Claims-Based Architecture, I found the quote "Your application can then map those roles onto fine-grained permissions with tools such as Windows Authorization Manager (AzMan)."

    And in Active Directory Federation Services, under Step-by-Step Example, "The following example demonstrates the steps necessary for a Web application to make claims-based authorization decisions using AD FS. Windows Authorization Manager (AzMan) is used to provide role-based access control (RBAC). For more information about AzMan and a discussion of the portions of the example code that use AzMan, see the companion topic Windows Authorization Manager."

    It's worth mentioning that we recently developed a customized tool for interacting with Azman Authstores, this tool uses the Microsoft.Interop.Security.Azroles.dll as well. However, we still have cases where the Windows Authorization Manager is used.

    Wednesday, April 5, 2017 9:52 AM
  • Your application can then map those roles onto fine-grained permissions with tools such as Windows Authorization Manager (AzMan). But unless you've got an issuer that's specifically designed for managing fine-grained permissions, it's probably best to keep your claims at a much higher level.

    Reference: Claims-Based Architectures

    It seems AzMan is better than Cliams at RBAC.

    In my option, AzMan will continue to work on whichever OS you are currently using it on. And if you need Azman, I think you could keep using it in supported OS.


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by Stagrid Thursday, April 6, 2017 9:34 AM
    Thursday, April 6, 2017 5:01 AM