Understanding Authorization Rules and Business Rules
Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012
Authorization rules are scripts written in VBScript or JScript that you can include in role definitions and task definitions. An authorization rule determines whether the role or task is allowed.
By using authorization rules, you can base authorization decisions on any condition that a script can test. These may include privileges and permissions, time of day, billable expense limits, account balances, or other criteria.
Authorization Manager is not designed for writing or debugging authorization rules. You can write your scripts in a text editor (for example, Notepad), in an integrated development environment such as Visual Studio .NET, or in another application of your choice. Authorization rules are usually written by professional developers.
More information about creating authorization rules and using the Authorization Manager application programming interfaces (APIs, see Authorization Manager Model (http://go.microsoft.com/fwlink/?linkid=64027). For additional suggested links, see Resources for Authorization Manager.
Controlling the use of business rules and authorization rules
Controlling use on each client
Beginning with Windows Server 2008, the use of business rules and authorization rules can be controlled by a registry setting. Rules are disabled by default. Previous versions of Windows did not support this functionality.
Generally, you will use a setup program or a script run by the operating system to enable authorization rules and business rules if they are in use in your environment.
This setting is controlled individually for each Authorization Manager application on each client.
The following is a sample script that enables or disables business rules and application rules for an application:
' Enabling or disabling BizRules`` for an application
' This script uses Authorization Manager Administrative interfaces to enable or disable
' BizRules for a specified Authorization Manager application in a specified Authorization Manager policy store
On Error Resume Next
Set objArgs = WScript.Arguments
If objArgs.count <> 3 then
wscript.echo "Usage: SetBizRule ""AzManStoreURL"" ""AzApplicaitonName"" True/False"
wscript.echo "Example: SetBizRule ""msxml://d:\inetpub\wwwroot\AzStore.xml"" ""MyApp"" True"
wscript.echo "Run with 'cscript' command in cmd.exe to avoid msg boxes"
' VBScript source code
Dim AzManStoreURL : AzManStoreURL = objArgs(0)
Dim AzManAppName : AzManAppName = objArgs(1)
Dim BizRulesEnabled : BizRulesEnabled = objArgs(2)
' create azman object
Set AzStoreObj = CreateObject("AzRoles.AzAuthorizationStore")
If Err.Number > 0 Then
WScript.Echo "Can not create AzRoles.AzAuthorizationStore. Check Authorization Manager installation"
' initialize store for Administration
' assumes store exists - if store is being created (e.g. an installing applicaion)
' use the value 3 instead of 2 in the call to IAzAuthorizationStore::initialize
AzStoreObj.Initialize 2, AzManStoreURL
If Err.Number <> 0 Then
WScript.Echo "AzRoles.AzAuthorizationStore failed to initialize. Check store URL"
' open applicaion
set AzApp = AzStoreObj.OpenApplication(AzManAppName)
If Err.Number <> 0 Then
WScript.Echo "AzRoles.AzAuthorizationStore failed to open application: " + AzManAppName + ". Check application Name."
' set BizRulesEnabled property
WSCript.Echo "App BizRule Before:" & AzApp.BizRulesEnabled
AzApp.BizRulesEnabled = BizRulesEnabled
WSCript.Echo "App BizRule After:" & AzApp.BizRulesEnabled
If Err.Number = 0 Then
WScript.Echo "BizRulesEnabled is updated successfully."
WScript.Echo "BizRulesEnabled is NOT updated successfully."
Controlling use for the entire authorization store
By configuring the authorization rule limits on the Limits tab of the authorization store properties sheet, you can:
Disable authorization rules and business rules for the store.
Set a timeout value to limit the maximum length of time to allow a script to run.
Allow scripts to run with no timeout.
For more information, see Understanding Authorization Manager Store Limits.
The following is a VBScript authorization rule that always grants permission:
AzBizRuleContext.BusinessRuleResult = True
The following is a JScript authorization rule that always grants permission:
AzBizRuleContext.BusinessRuleResult = true;