locked
Authorization Manager (AzMan) - Scopes RRS feed

  • Question

  • Hello,

      My team is currently looking at replacements for a corporate-wide role based authorization system and we are looking at AzMan with either ADAM or AD as a store.  AzMan looks like it can do a lot of what we desire.  However, I'm a little concerned with how scopes can be used and am having troubles finding examples regarding them.

      One proposed authorization system would use AzMan with scopes to divide legal entities (which can be numerous companies/locations).  In this scenario, each application would have one or more scopes representing each legal entity.  Each scope would have the same available roles as defined in the application, and would only differ by the users assigned to those roles.  For instance:

    In application A, Bob has a Manager role for company X (legal entity X)
    In application A, Bob has a Auditor role for company Y (legal entity Y)

    Here are my questions:

    1. Is there a way, given the user's ID/Token/Context, to return a list of scopes to which the user has a role programmatically through the AzMan API?  I have seen how to return all the scopes for an application.  I would imagine that each one would then have to be checked to see if a user had an "active" role within it.  However, it is possible that we may have 100,000+ scopes for each application and returning a list of all 100,000 would be expensive.  A list of only the scopes the user is privileged to would be better.

    2. When assigning roles to a scope, it seems the AzMan Snap-In will not allow duplicate names.  If an application has defined a role "Manager", within the scope it will be changed to "Manager(1)".  Is this something the snap-in is doing or is it not possible to assign "application wide roles" to one or more scopes?

    Any assistance that anyone could provide would be great.

    Thanks,
    Michael Rowley

     

    Tuesday, November 21, 2006 10:54 PM