in

ASP.NET Weblogs

Loren Halvorson's Blog

If your only tool is a hammer...

Is anyone using AzMan?

We are in the process of developing a common role based authorization layer for several of our applications and stumbled across the Microsoft's Authorization Manager. I had originally passed over it because I thought it was tied to Windows Server 2003, but it turns out that it runs on Windows 2000 which we are using in production, and Windows XP which developers use. On XP, just install the Windows Server 2003 Administration Tools Pack and you'll get it.

The idea seems great. It allows you to define logical operations like "CanApproveExpenseReports", map those to logical roles in your organization like "Manager". Then assign users to the roles. (The model is extremely flexible...I recommend Dave McPherson's article). There is a COM runtime and a .NET interop assembly for use from .NET, that allows your application to quickly check to see if the current user is allowed to perform some operation. Following is not the actual API, I just wanted to give you a feel for how you use it in an app:

if (azMan.CheckAccess(user, "CanApproveExpenseReport")
{
    // Approve expense reports code goes here
}

It also provides an MMC snap-in tool to manage everything. If it works out, it promises to save us a ton of time.

I see the Patterns and Practices Authorization and Profile Application Block has a provider that can use it, and there is a RoleManager Provider in Whidbey that uses a part of it too. So Microsoft seems to think it fits the problem.

Actually while I'm on the subject of Whidbey, I was surprised that it doesn't seem to provide a general purpose authentication mechanism other than IsInRole. Roles are good for some things, but they are too course-grained for deciding whether a button is visible or not, or whether a user can delete items from a table.  There can potentially be hundreds of these fine-grained secured operations scattered throughout your application, and hard-coding role names (if (User.IsInRole(“Manager“)...) throughout your app is not an acceptable solution in my opinion because it limits the ability to redefine the permissions of each role later on without touching code.

Authorization Manager (or AzMan for short) seems to fit the bill perfectly. However I hesitate to jump in too quickly because I don't see very much buzz about this technology on the web. I'd like to read other people's experience with it. Has anyone tried to use it in a .NET Application?

 

Published Feb 24 2004, 10:58 AM by lorenh

Comments

 

TrackBack said:

February 24, 2004 1:11 PM
 

Udi Dahan - The Software Simplist said:

Saw it at a local .Net user group some time ago. Seemed nice, except for the interop.

One other thing is the ability to perform "business tasks" that are really only script.

Should the interop go away, and be able to call .Net code for business tasks, this would truly be a killer.
February 24, 2004 5:11 PM
 

TrackBack said:

Take Outs: The Digital Doggy Bag of Blog Bits for 24 February 2004
February 24, 2004 10:12 PM
 

Mik said:

I am currently investigating using this in my app. I really like the sound of it, but was thinking the implementation might be a little scarry. Did you get any further with your decision ? Maybe we could do some brainstorming.
March 22, 2004 1:21 PM
 

Chris Bilson said:

We have it fully integrated into our ASP.NET application. The Interop part really sucks when you have defined alot of operations and are doing lots of authorization checks. It's a real performance killer.

I have my own wrapper class that invokes my "Business Tasks" when an access check is performed.

I feel kind of frustrated that there isn't more information about this tool, as I agree that it is nice way to get out of hard coding role checks into my application - something that would not be acceptable in my case due to varying customer defintions of what a "Manager" is and what they can do.
May 14, 2004 9:06 AM
 

Dominick Baier said:

hi,

i love azman! i have written some stuff on it on www.leastprivilege.com - especially that ability to use non-windows accounts is very cool!

dominick
May 30, 2004 7:09 AM
 

Mathertel said:

Yes, we use it in a .NET Web Application, built a wrapper and a bunch of additional tools to work with (a lot of tools are missing in the MMC snapin)
June 7, 2004 1:45 PM
 

Tom Bruns said:

I have used AzMan extensively in a large .NET Web application. I think that the conceptual model is very good. However, there is alot of "lessons learned" concerning how to correctly architect the application to use it relative to performance, ongoing maintaince of the policy store, interaction with ADAM etc. If I can be of any help please feel free to email me. Replace nospam with com in my email address. Used correctly it can perform very well.
July 26, 2004 2:00 PM
 

TrackBack said:

September 13, 2004 8:15 PM
 

Gabriel Lopez said:

It's almost 2007, and it seems to me that for one reason or another AzMan still hasn't gained wide adoption.

Does anyone have any idea why is this? Anyone would like to comment on this?

December 13, 2006 12:36 PM
 

Horea Hopartean said:

We tried to use it and keep its repository on a Win2003 AD, but at 10000 users it took 13 (thirteen) seconds to do an OpenApplication call.

That and the ugly API may be good reasons why it hasn't got any traction so far :)

February 8, 2007 3:36 AM
 

Emil Gottwald said:

I've been considering AzMan/ADAM as a potential technologies for replacing huge chunks of our custom-built authorization manager, which we developed several years ago before any of this was available.  Have just started looking into it seriously. The technology looks promising so far. From my POV, adoption of the technology is slow because:

  a) It takes a significant effort and committment

     to re-architect applications to use it, and

  b) There's a significant learning curve involved

     which is hampered by the lack of cohesive,

     up-to-date, detailed documentation. There's a ton

     of information available, but sorting through it

     is time consuming and, at times, frustrating since

     there's conflicting information that has to be

     researched to resolve.

March 22, 2007 10:08 AM

Leave a Comment

(required)  
(optional)
(required)  
Add
Terms of Use