Understanding Authorization Manager Role, Task, and Operation Definitions

Applies To: Windows Server 2008


Authorization Manager is available for use in the following versions of Windows: Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows XP, Windows Vista, Windows 7, and Windows 8. It is deprecated as of Windows Server 2012 R2 and may be removed in subsequent versions.

To use Authorization Manager effectively to control access to resources, you must first define roles, tasks, and operations.

  • A role is a set of permissions that a user must have to do a job. Well-designed roles should correspond to a job category or responsibility (for example, receptionist, hiring manager, or archivist) and be named accordingly. With Authorization Manager, you can add users to a role to authorize them for the job.

  • A task is a collection of operations and sometimes other tasks. Well-designed tasks are inclusive enough to represent work items that are recognizable (for example, "change password" or "submit expense").

  • An operation is a set of permissions that you associate with system-level or API-level security procedures like WriteAttributes or ReadAttributes. You use operations as building blocks for tasks.

You can define roles, tasks, and operations only in developer mode, not administrator mode. To set developer mode, see Set Authorization Manager Options.

Role definitions

Creating appropriate role definitions depends on the structure and goals of your organization. Roles support inheritance from other roles.

To define a role, you specify a non-arbitrary name, a friendly description, and some lower-level tasks, roles, and operations that are part of it. This provides a mechanism for role inheritance. For example, a Helpdesk role might include a Product Support role.

You can specify an authorization rule, which may be either VBScript or JScript. For more information, on the Microsoft Web site, see VBScript (http://go.microsoft.com/fwlink/?linkid=65964) and JScript on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=65963).

If there are several authorization rules associated with a role definition (for example, the role definition has several subroles and tasks), the authorization rules run synchronously. In Authorization Manager, the order has no effect on authorization.

Task definitions

A task definition is smaller than a role definition and can be used to define roles and other tasks.

With Authorization Manager, you associate tasks with roles in an intuitive way. For example, the Recruiter role might include the Interview task.

Tasks, like roles, are defined in a way that is appropriate to the organization. To define a task, you specify a name, a description, and some lower-level tasks and operations that are part of it. You can also specify a VBScript or JScript authorization rule.

Operation definitions

Operations are small computer-level actions that are used to define tasks and usually are not relevant to an administrator. You define operations only in developer mode.

You can set operation definitions at the application level, but not at the authorization store level or the scope level.

An operation definition includes a name, a description, and an operation number. The operation number X must be an integer from one to 2147483647 (that is, 1 ≤ X ≤ 2^31 - 1). The operation number is used by the application to identify the operation, so entering a wrong operation number will result in access being granted or denied incorrectly. This, in turn, could lead to security violations or undesired behavior of the client application.