Understanding Authorization Manager Scopes

Applies To: Windows Server 2008


Authorization Manager is available for use in the following versions of Windows: Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows XP, Windows Vista, Windows 7, and Windows 8. It is deprecated as of Windows Server 2012 R2 and may be removed in subsequent versions.

A scope is a virtual subdivision within an application that separates some resources from other resources that are used by that application. You can use scopes to prevent unintended resource sharing and to support auditing and delegation. You do not have to use scopes.

A scope can represent a folder, a container in Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS), a file-masked collection of files (for example, *.doc), a URL, or any item that can be accessed by the application and its underlying authorization store. However, a scope is an abstraction; it is a definition created in Authorization Manager, but it is not a physical folder in the file system or an actual container in AD DS, for example.

If you have Authorization Manager groups, role assignments, role definitions, or task definitions that you do not want to apply to an entire application, you can create them at the scope level. The application that contains the scope must be able to recognize the scope name. For example, file-based applications might have scope names that include file names or paths. Web-based applications might have URL-based scope names. Registry applications might have scope names based on registry hives, and Active Directory scope names could specify organizational units. You cannot define operations at the scope level.

Auditing scopes

You cannot control Authorization Manager runtime auditing at the scope level. You can control Authorization Manager authorization store-change auditing on scopes contained in authorization stores that are stored in Active Directory. For more information see Understanding Authorization Manager Auditing.

Delegating scopes

You can delegate the administration of scopes to other people if both of the following conditions are met:

  • The authorization store must be stored in AD DS, AD LDS, or SQL Server.

  • Authorization rules are not used in any task or role definitions defined within the scope you wish to delegate.