2.5.2.1 AzMan RBAC Model
Goal
Verify the authorization rights for the user to perform the intended business operation/task.
Context of Use
The user of the application client needs to perform certain business operation/tasks using the application server, and the application server verifies the authorization of the requesting user before the application server grants access to the requested business operation.
Actors
Application server: The application server is the service running on the server computer.
Admin client: The Admin client is the administrator management snap-in tool that facilitates the administrator to configure authorization policies for the applications.
Policy store: The policy store can be located on either an Active Directory server, a SQL Server, or a file server; the policy store maintains the authorization policies for the applications.
Stakeholders
The primary interest of the user of the application client is to perform intended business operations/tasks with the help of the application server.
Preconditions
The identity of the user has been authenticated, and the application server has the identity information.
Any required authorization policies have been created on the policy server for the application.
The application server is configured with the required information to access the configured authorization policies.
Required policies are configured on the policy server for the user to perform intended business operations/tasks.
Main success scenario
Trigger: The user of the application client is required to perform certain protected tasks with the help of the application server.
The application server connects the authorization policy store with the configured details such as the connection string and gets the instance of the application policy.
The application server constructs the client's access token (also called security context) with the identity information of the user who is using Authorization Manager APIs.
The application server calls the access check Authorization Manager API to verify the authorization for the requested business operation/ task.
Postcondition
The application server enables the user to perform requested business operation/tasks.
Extensions
None.