AzMan and WSE

I love Authorization Manager (AzMan), especially the idea of using role-based authorization, but with the roles being outside of the application altogether. So, from an developer point of view, you tell AzMan that you have a certain named application, and it performs a set of operations, let's say "OrderWidget", "UpdateInventory", and "CreateNewProduct". Then an administrator can create roles, organize operations into tasks, and assign permission to roles for tasks or operations. Finally, administrators can map Active Directory users or groups (and with a little help, other types of non-AD identities) into those roles.

In the code, the developer simply asks AzMan if the user has permission to perform an operation. AzMan figures out what AD-groups the user belongs to, what AzMan roles they belong to, and what tasks and ultimately operations are assigned to those roles, and then answers back Yes or No. So, instead of role-based authorization in the code, such as the developer testing if the user is a member of the Managers role, the developer simply asks, is the user authorized to perform the operation "OrderWidget"?

This means that what it means to be a member of Managers can change over time, in terms of what operations that role can perform, without recompiling the application. If the need arises for a "Supervisors" role in the future, that has a subset of permissions of the "Managers" role, it can be accomplished administratively through the AzMan MMC snapin.

Now, with web services happening all over the place, security for them is a concern. Here's an article in MSDN Magazine (Nov 2005) that shows how to hook up AzMan with a WSE3 web service, so that the web service's policy configuration can be used to map web services and methods to AzMan operations automagically.