AzMan is an Access Control framework for defining operations to be grouped as a task; these operations in your application (that can be performed by the user). So using AzMan one can manage roles by providing permissions on various roles for various operations. Users are assigned various roles and based on those roles, permissions are granted to the user.
AzMan also provides a management console known as Microsoft Management Console (MMC) for managing operations, roles and permissions. One can configure the directory in Active Directory or in the form of XML.
As I mentioned, it is a role-based framework, so the cost and effort to use it for application security is minimal and one of the interesting features is that it can directly work with the Active Directory, where AD groups can directly be configured for the specified permissions.
AzMan is available from the time of ASP.NET, but it is still available in Windows 8 as well as Windows Server 2012. The Enterprise Library Security Application Block was built with AzMan wrapper, but the latest version of Enterprise Library does not have this, so one must write a wrapper of their own (refer to an earlier version of Enterprise Library for the code).
How to use AzMan in ASP.Net Application
AzMan is installed by a default in Windows 7 and Windows Server 2008 and above. As I mentioned above, the AzMan policy store can be created in Active Directory or in XML.
AzMan Policy Store in XML
In the Management Console, click on "Actions" and select "Options", here you need to ensure that you have selected "Developer Mode"; this is being done for creating a new policy, because New Policy can only be created in "Developer Mode".
As soon as you will do that you will get an a new option under "Actions" Menu named "New Authorization Store", open this Action and select "Authorization Store Type" as "XML" and provide the location of the XML File, where we will define the policies.
Now you will see the XML file you added under Authorization Manager on the left hand panel of the console, select your policy and right-click and open "Properties", We need to give administrator rights to the "Network Service" since an ASP.NET application will use this account by default, if someone wants to impersonate some other account then that can also be done.
Now we need to create a new application, in my case it is "SampleApplication". This is where we maintain the groups, users, roles and permissions for a specific application, since we can apply a single policy to many applications, with each application having various mappings among roles, users and permissions. See the following:
Now we will see how to create tasks and operations. To create new operations, under the policy select the application you want to create the task for, in my case it is "SampleApplication", under it, expand "Definitions" and select "Operation Definitions", right-click on it and select "New Operation Definition".
I created three operations, "Edit", "View", and "Delete".
Similarly for adding Tasks, select "Task Definitions", right-click on it and "New Task Definitions". Here we will create the new task and will map the operations with these tasks. Here I have created two new tasks, in other words "Admin Tasks" and "Guest Task".
Now we can create the roles and associate them with the tasks and the users. So we can give permission to a specific role on a task and then users can be assigned to a specific role so as to provide the access to all the tasks mapped to that role.
Now for adding roles, just select "Role Definitions", right-click on it and "New Role Definitions". Here we will create the new role and will map the tasks with these roles. Here I have created two new roles, in other words "Admin" and "Guest". (One can also map the operations instead of mapping tasks.)
Now for assigning users to the roles created above, select "Role Assignments" in the console tree, right-click on it and select "New Role Assignment", now select the role for which you want to map users.
Now you will see that the two new roles are added into the console tree under "Role Assignments".
Now right-click on each role and select the users from active directory so as to assign a role to the users.
Do it for both the roles, and with this you are done, now we can use the policy we created, in other words "SamplePolicy", in the application. Before going into how to use it in an application, first let's have a look at to use Active Directory with Policy Store directly.
Sample Policy:
<?xml version="1.0" encoding="utf-8"?>
<AzAdminManager MajorVersion="1" MinorVersion="0" Guid="2785f140-42e8-4dea-94a0-4fdb891b79a2">
<AzApplication Guid="246370e3-4cc4-415a-8b65-1f59fb822dbc" Name="SampleApplication" Description="" ApplicationVersion="">
<AzOperation Guid="fcfcdbe3-c009-43e0-bbcc-7eb79e588ed8" Name="Edit" Description="">
<OperationID>1</OperationID>
</AzOperation>
<AzOperation Guid="9c61f00b-bbc6-46c9-9832-d244aee1b064" Name="View" Description="">
<OperationID>2</OperationID>
</AzOperation>
<AzOperation Guid="48c35aaf-b922-491d-89cf-c6fd4040e7a6" Name="Delete" Description="">
<OperationID>3</OperationID>
</AzOperation>
<AzTask Guid="7ee8ae15-6954-45bd-a29f-03907c46b3d8" Name="Admin Tasks" Description="" BizRuleImportedPath="">
<OperationLink>48c35aaf-b922-491d-89cf-c6fd4040e7a6</OperationLink>
<OperationLink>9c61f00b-bbc6-46c9-9832-d244aee1b064</OperationLink>
<OperationLink>fcfcdbe3-c009-43e0-bbcc-7eb79e588ed8</OperationLink>
</AzTask>
<AzTask Guid="e0652d25-df48-4c90-baa2-3630da84ef71" Name="Guest Tasks" Description="" BizRuleImportedPath="">
<OperationLink>9c61f00b-bbc6-46c9-9832-d244aee1b064</OperationLink>
</AzTask>
<AzTask Guid="4bce9fbd-9d3f-443c-b378-8d06c36046b1" Name="Admin" Description="" BizRuleImportedPath="" RoleDefinition="True">
<TaskLink>7ee8ae15-6954-45bd-a29f-03907c46b3d8</TaskLink>
</AzTask>
<AzTask Guid="6596b838-8c78-47ab-b8c1-142ef68cd015" Name="Guest" Description="" BizRuleImportedPath="" RoleDefinition="True">
<TaskLink>e0652d25-df48-4c90-baa2-3630da84ef71</TaskLink>
</AzTask>
<AzRole Guid="fe14f1c7-e7dd-47ed-8fe7-8524de4d263a" Name="Admin">
<TaskLink>4bce9fbd-9d3f-443c-b378-8d06c36046b1</TaskLink>
</AzRole>
<AzRole Guid="79da2bfd-2072-4e26-815d-b0a9f7239d53" Name="Guest">
<TaskLink>6596b838-8c78-47ab-b8c1-142ef68cd015</TaskLink>
</AzRole>
</AzApplication>
</AzAdminManager>
AzMan Policy Store in Active Directory
In the Management Console, click on "Actions" and select "Options", here you need to ensure that you have selected "Developer Mode"; this is being done for creating a new policy, because New Policy can only be created in "Developer Mode".
As soon as you do that you will get a new option under "Actions" Menu named "New Authorization Store", open this action and select "Authorization Store Type" as "Active Directory" and provide the store location of the Active Directory, where we will define the policies.
The Store name is something like this:
msldap://servername:portnumber/CN=SampleApplicationStore, partition
"servername" is name of the server, "portnumber" is the port on which Active Directory is set up, and Container Name (CN) can be anything of your choice. Partition name is the name of partition created while doing the setup of Active Directory.
Configure application to use Policy Store
Now what I have done is, create a new application and in the "Web.Config" file added the configuration for the Role Manager and provided the connection string in the application for connecting to the AzMan policy store. The application name specified in the role manager is the same application we created in the management console for the sample policy.
Now what I will do is add three buttons on the Default page, we will now look at how to access the Policy store from the code and display the buttons for the user to which the role has been provided and hide for those who don't have permissions.
Before starting, we need to add references for accessing the AzMan store, click on "Add Reference" for the Website or any other application you have created, select the "COM" tab and add a reference for "azroles 1.0 Type Libraries"
So now my Default.aspx looks like this:
And Default.aspx.cs is something like the following. (Please find inline comments in the code.) Here we are first getting the logged-in user and then we are attempting to get the operations and then checking if the user has access to a specific operation or not.
If you are using Windows authentication then the user context can be created like this:
IAzClientContext userContext = azApp.InitializeClientContextFromName(name, domain, null);
Users can use it as needed, the logic can be separated out and can be written in a better way depending upon the application architecture, this is only sample code.
Hope it provides some help.