Application Security, Part 11

So, what we would really like to be able to do in administering permissions for an application is the following:


· we would like to be able to define abstract operations for which we would want to control authorization, abstract operations that we could map to elements of our user interface

· we would like to be able to compose those operations into coarser-grained tasks so that we could permit or deny whole sets of operations at once by permitting or denying the task

· we would like to organize the users of our application into groups defined specifically for our application, and then permit or deny each group to perform each task.

· we would like to be able to do all of this through a user interface


Well, these are exactly the things that the Windows Server 2003 Authorization Manager allows us to do. We are not restricted to permitting or denying access to operating system elements as we are with access control lists, nor to authorizing access to COM+ components and their methods as we are with COM+ role-based security. Rather, we have complete freedom to declare the operations for which we would like to permit or deny access, and then compose those operations into tasks that a user in a given role would want to perform.


[This posting is provided "AS IS" with no warranties, and confers no rights.]