Authorization Manager

1
Authorization Manager

• Nick Wienholt

2
Basic Definitions

• Authentication
• Who is attempting to use the system? What role or
  group do they belong to?
• Windows, ASP.NET Forms, custom (username,
  password), Passport, Certificates, Smart Cards,
  biometrics
• A problem that is essentially solved.
• Authorization
• Can this user or class of user perform this
  action at this time?
• business rules.
• A problem that isnt solved.

3
Authorization Problems

• What the hell are your business rules? (and how
  do you stay in business if you dont know them?)
• How do you (easily) incorporate customizability/
  extensibility?
• How do you cope with frequently changing business
  rules?

4
Desirable Qualities of a Solution

• Decouple implementation of application logic (DB
  updates, email notifications, backend processing)
  from authorization decisions.
• Allow easy updates/ modifications of business
  rules.
• Dont couple authorization and authentication.

5
Potential solutions

• RAD development and support frequent roll-outs.
• Add scripting support.
• Lock the customer in. (and make plenty of profits
  on variations)
• Authorization Manager

6
Sample Application
7
Authorization Manager Overview

• COM-based technology that ships with Windows
  Server 2003. Officially supported and
  documented.
• Managed via MMC snap-in.
• XML or Active Directory storage of authorization
  policy.
• Not tied to any particular authentication scheme,
  but AuthMan context needs to map to one or more
  Windows Accounts.
• Business rules expressed in VBScript or JScript.

8
Take-aways

• Windows Server 2003 needed on the server side.
• Business rules in script, but managed or
  unmanaged COM components possible.
• Authorize how-ever you want.
• High risk to let clients control their own
  business rules?

9
Comments and criticisms
10
Questions?