Is anyone using AzMan?

Tuesday, February 24, 2004

We are in the process of developing a common role based authorization layer for several of our applications and stumbled across the Microsoft's Authorization Manager. I had originally passed over it because I thought it was tied to Windows Server 2003, but it turns out that it runs on Windows 2000 which we are using in production, and Windows XP which developers use. On XP, just install the Windows Server 2003 Administration Tools Pack and you'll get it.

The idea seems great. It allows you to define logical operations like "CanApproveExpenseReports", map those to logical roles in your organization like "Manager". Then assign users to the roles. (The model is extremely flexible...I recommend Dave McPherson's article). There is a COM runtime and a .NET interop assembly for use from .NET, that allows your application to quickly check to see if the current user is allowed to perform some operation. Following is not the actual API, I just wanted to give you a feel for how you use it in an app:

if (azMan.CheckAccess(user, "CanApproveExpenseReport")
{
// Approve expense reports code goes here
}

It also provides an MMC snap-in tool to manage everything. If it works out, it promises to save us a ton of time.

I see the Patterns and Practices Authorization and Profile Application Block has a provider that can use it, and there is a RoleManager Provider in Whidbey that uses a part of it too. So Microsoft seems to think it fits the problem.

Actually while I'm on the subject of Whidbey, I was surprised that it doesn't seem to provide a general purpose authentication mechanism other than IsInRole. Roles are good for some things, but they are too course-grained for deciding whether a button is visible or not, or whether a user can delete items from a table. There can potentially be hundreds of these fine-grained secured operations scattered throughout your application, and hard-coding role names (if (User.IsInRole(“Manager“)...) throughout your app is not an acceptable solution in my opinion because it limits the ability to redefine the permissions of each role later on without touching code.

Authorization Manager (or AzMan for short) seems to fit the bill perfectly. However I hesitate to jump in too quickly because I don't see very much buzz about this technology on the web. I'd like to read other people's experience with it. Has anyone tried to use it in a .NET Application?

13 Comments

Saw it at a local .Net user group some time ago. Seemed nice, except for the interop.

One other thing is the ability to perform "business tasks" that are really only script.

Should the interop go away, and be able to call .Net code for business tasks, this would truly be a killer.

Udi Dahan - The Software Simplist - Tuesday, February 24, 2004 10:11:00 PM

I am currently investigating using this in my app. I really like the sound of it, but was thinking the implementation might be a little scarry. Did you get any further with your decision ? Maybe we could do some brainstorming.

Mik - Monday, March 22, 2004 5:21:00 PM

We have it fully integrated into our ASP.NET application. The Interop part really sucks when you have defined alot of operations and are doing lots of authorization checks. It's a real performance killer.

I have my own wrapper class that invokes my "Business Tasks" when an access check is performed.

I feel kind of frustrated that there isn't more information about this tool, as I agree that it is nice way to get out of hard coding role checks into my application - something that would not be acceptable in my case due to varying customer defintions of what a "Manager" is and what they can do.

Chris Bilson - Friday, May 14, 2004 1:06:00 PM

hi,

i love azman! i have written some stuff on it on www.leastprivilege.com - especially that ability to use non-windows accounts is very cool!

dominick

Dominick Baier - Sunday, May 30, 2004 11:09:00 AM

Yes, we use it in a .NET Web Application, built a wrapper and a bunch of additional tools to work with (a lot of tools are missing in the MMC snapin)

Mathertel - Monday, June 7, 2004 5:45:00 PM

I have used AzMan extensively in a large .NET Web application. I think that the conceptual model is very good. However, there is alot of "lessons learned" concerning how to correctly architect the application to use it relative to performance, ongoing maintaince of the policy store, interaction with ADAM etc. If I can be of any help please feel free to email me. Replace nospam with com in my email address. Used correctly it can perform very well.

Tom Bruns - Monday, July 26, 2004 6:00:00 PM

It's almost 2007, and it seems to me that for one reason or another AzMan still hasn't gained wide adoption.

Does anyone have any idea why is this? Anyone would like to comment on this?

Gabriel Lopez - Wednesday, December 13, 2006 5:36:25 PM

Does anyone have any updates on this, now it's 2009?I'm also investigating the RoleManager and AzMan for use in our main system, but both of them keep me from implementing: RoleManager because of it's 'flatness' (just roles) and AsMan because of it's interop/performance. Are there any alternatives besides writing my own?

Thanks a million.

Willem van Hooijdonk - Monday, January 12, 2009 8:11:53 PM

We don't use AZMAN because it has such a g*y name. Yup, that's the only reason..

Thanks M$ for making our HR dept nervous

funnyname - Wednesday, February 4, 2009 7:41:14 PM

I haven't tried it, but am considering NetSqlAzMan - but it is still similar to azman even though it does not use interops. Same steep learning curve and the author is Italian, so his screen shots often are in Italian. I wish there was something better.

starbros - Friday, March 20, 2009 5:49:06 AM

Hi, I have the same problem.
I'm comparing Visual Guard, AzMan, NetSqlAzMan and the feature provided from the framework .net 3.0.
At the moment I'm prefering NetSqlAzMan. It's well integrated with .net framework, the comunity is active, is Open Source. Yes there are some limitation: Only Window or custum Authentication and Microsoft SQLManager, but...
I'm wondering: why this argument is so underestimates!?

news75 - Tuesday, April 7, 2009 8:18:34 AM

I am developing an Enterprise RBAC system using Azman with AD store. To overcome the slow performance, I wrote a wrapper class which access directly Azman in AD's OU structure using LDAP query. Another thing to mention is that Azman of Windows Server 2008 version has capability to create data store in SQL2008 database. My biggest complain is that Security Dialog for any resources (folders, disks, etc) does not recognize Azman defined groups or roles as available identity. This makes really difficult to integrate RBAC which encompass ERP and other enterprise roles AND Windows Resource Access Control at the same time unless you write an application which can write on AD directly.

Riverway - Friday, March 19, 2010 3:42:10 PM

We used azman on our project and it sucks. We've had a ton of problems with interoperability, and it didn't work for our developers using Win7 when the .xml file was made on a win2003 machine. We even went as far as reporting a bug to Microsoft. It does a ton of COM BS like randomly not working and saying E_INVALIDARG, whatever that means. This is one of the technologies I want to remove from our project when I get a chance.

James - Wednesday, April 7, 2010 2:22:33 PM

Comments have been disabled for this content.