How to install and administer the Authorization Manager in Windows Server 2003 (324470)


The information in this article applies to:

  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Small Business Server 2003, Premium Edition
  • Microsoft Windows Small Business Server 2003, Standard Edition
This article was previously published under Q324470

IN THIS TASK

SUMMARY

This article describes how to install and work with the Authorization Manager in a Windows Server 2003 environment. The following tasks were performed by a member of the administrators group on a computer running Windows Server 2003, Enterprise Edition.

back to the top

Starting the Authorization Manager

To start Authorization Manager, do one of the following:
  • Click Start, click Run, type azman.msc, and then click OK.

    -or-
  • Click Start, click Run, and then type cmd in Open box. At the command prompt, type azman.msc, and then press ENTER.

    NOTE: Authorization Manager opens without a default authorization store. To use Authorization Manager you must create or open an authorization store.

    For advanced users: If you create and save your own MMC console, it opens in whatever configuration you save it in, and it can include an authorization store.
back to the top

Setting the Authorization Manager Options

  1. Open Authorization Manager (see the "Starting the Authorization Manager" section of this article).
  2. In the Authorization Manager console, right-click Authorization Manager, and then click Options.
  3. In the Options dialog box, select either Developer mode or Administrator mode, and then click OK.

    NOTE: In developer mode, users can create, deploy, and maintain applications. Users have unrestricted access to all features.

    In administrator mode, users can deploy and maintain applications. Users have access to all features except that they cannot create new applications and define operations.

    A developer runs Authorization Manager first, to set up an authorization store and application. After the developer has done that, an administrator typically runs authorization manager. If you are using Authorization Manager effectively, Administrator-mode usage should be much more common than Developer-mode usage.

back to the top

Working with Authorization Stores

Creating an Authorization Store

  1. Open Authorization Manager, right-click Authorization Manager, click Options, select Developer mode, and then click OK.
  2. In the Authorization Manager console, right-click Authorization Manager, click New, and then click Authorization Store.
  3. Select either Active Directory or XML file as the store type.
  4. Type a complete store name in the Store name box, or use the Locations button to select a location by using the New Authorization Store dialog box.
  5. If it is an Active Directory authorization store, use the LDAP name -- for example CN=myStore,CN=Program Data,OU=Authorization,DN=myCompany,DN=com. If it is an XML authorization store, use a path and file name that will be valid at run time -- for example C:\AuthStores\MyStore.xml.
  6. Type a description of the new authorization store in the Description box, and then click OK.

    NOTE: Authorization stores can be created only in Developer mode. See the "Setting the Authorization Manager Options" section of this article for instructions about setting Developer mode.
back to the top

Editing the Properties of an Authorization Store

  1. Open Authorization Manager.
  2. In the Authorization Manager console, right-click Authorization Manager, and then click Open Authorization Store.
  3. Select the type of authorization store that you want to open -- either Active Directory or XML file.
  4. Click Browse, locate the authorization store that you want, and then double-click it.
  5. Click OK in the Open Authorization Store dialog box.
back to the top

Creating a Group in an Authorization Store

  1. Open Authorization Manager.
  2. Create or select an authorization store.
  3. Right-click the Groups folder that appears under the authorization store, click New, and then click Application Group.
  4. In the New Application Group dialog box, type a name and a description for the group, and then click Basic or LDAP query for the group type.
  5. Click OK.
back to the top

Editing the Properties of a Group in an Authorization Store

  1. Open Authorization Manager.
  2. Create or select an authorization store.
  3. Double-click the Groups folder that appears under the authorization store icon.

    The groups that you see are the groups whose scope is the authorization store.
  4. Click to select, or double-click to edit the properties of, the group that you want.
back to the top

Working With Applications

Creating an Application

Note To perform this procedure, you must have previously created an authorization store.
  1. Open Authorization Manager.
  2. In the Authorization Manager console, right-click the icon of the authorization store for which you want to create an application, click New Application.
  3. In the New Application dialog box, enter the name, description, and (if you want) the optional version information.
  4. Click OK.
back to the top

Editing the Properties of an Application

Note To perform this procedure, you must have previously created an authorization store.
  1. Open Authorization Manager.
  2. In the Authorization Manager console, click the authorization store that contains the application.
  3. Double-click the application.

    The application is now selected, and the folders containing the Groups, Definitions and Role Assignments associated with the application appear in the console.
back to the top

Creating a Group in an Application

Note To perform this procedure, you must have previously created an authorization store.
  1. Open Authorization Manager.
  2. Create or select an application in an authorization store.
  3. Right-click the Groups folder for that application, click New Application Group.
  4. In the New Application Group dialog box, type a name and a description for the group, and then click Basic or LDAP query for the group type.
  5. Click OK.
back to the top

Editing Properties of a Group in an Application

Note To perform this procedure, you must have previously created an authorization store.
  1. Open Authorization Manager.
  2. Create or select an application in an authorization store.
  3. Double-click the Groups folder for that application.
  4. Click any group in the application folder to select it, or double-click it to edit its properties.
back to the top

Creating a Role Assignment in an Application

Note To perform this procedure, you must have previously created an authorization store.
  1. Open Authorization Manager.
  2. Create or select an application in an authorization store.
  3. Right-click the Role Assignments folder for that application, and then click Assign Role.
  4. In the Add Role dialog box, click to select the appropriate check boxes to add the role definitions that you want, and then click OK.
back to the top

Editing Properties of a Role Assignment in an Application

Note To perform this procedure, you must have previously created an authorization store.
  1. Open Authorization Manager.
  2. In the console tree navigate to Role Assignment, right-click, and then click Properties.
    • Authorization Manager
    • Authorization Store path and name
    • Application name
    • Role Assignments
    • Role Assignment
  3. Optionally, you can use the Show Definition button to see or edit the Role Definition upon which the Role Assignment is based, and then click OK in the Role Definition Properties dialog box.
  4. Type a name and a description for the Role Assignment in the Role Assignment Properties dialog box, and then click OK.
back to the top

Working with Roles, Tasks, and Operation Definitions

Creating a Role Definition

Note To perform this procedure, you must have previously created an authorization store.
  1. Open Authorization Manager.
  2. In the Authorization Manager console, right-click the Role Definitions folder in which to create the role definition. The Role Definitions folder may be defined at the Application level:
    • Authorization Manager
    • Authorization Store path and name
    • Application name
    • Definitions
    • Role Definitions
  3. Or the Role Definitions folder may be defined at the Scope level:
    • Authorization Store path and name
    • Application name
    • Scope name
    • Definitions
    • Role Definitions
  4. Click New Role Definition.
  5. In the New Role dialog box, type a Name and Description of the role. Optionally, you can specify any tasks, roles, and authorization scripts to be included in this new role.
  6. Click OK.
back to the top

Editing a Role Definition

Note To perform this procedure, you must have previously created an authorization store.
  1. Open Authorization Manager.
  2. In the Authorization Manager console, double-click the Role Definitions folder containing the role definition you want to edit. The Role Definitions folder may be defined at the Application level:
    • Authorization Manager
    • Authorization Store path and name
    • Application name
    • Definitions
    • Role Definitions
  3. Or the Role Definitions folder may be defined at the Scope level:
    • Authorization Manager
    • Authorization Store path and name
    • Application name
    • Scope name
    • Definitions
    • Role Definitions
  4. Double-click the Role Definition.
  5. On the General tab of the Properties dialog box for the role definition, you can type a Name and Description of the role. On the Definition tab, you can specify any tasks, roles, and authorization scripts to be included in the role.
  6. Click OK.
back to the top

Creating a Task Definition

Note To perform this procedure, you must have previously created an authorization store.
  1. Open Authorization Manager.
  2. In the Authorization Manager console, right-click the Task Definitions folder in which to create the task definition. The Task Definitions folder may be defined at the Application level:
    • Authorization Manager
    • Authorization Store path and name
    • Application name
    • Definitions
    • Task Definitions
  3. Or the Task Definitions folder may be defined at the Scope level:
    • Authorization Manager
    • Authorization Store path and name
    • Application name
    • Scope name
    • Definitions
    • Task Definitions
  4. Click New Task Definition.
  5. In the New Task dialog box, type a Name and Description of the task. Optionally, you can specify any tasks, operations, and authorization scripts to be included in this new task.
  6. Click OK.
back to the top

Editing a Task Definition

Note To perform this procedure, you must have previously created an authorization store.
  1. Open Authorization Manager.
  2. In the Authorization Manager console, double-click the Task Definitions folder containing the task definition you want to edit. The Task Definitions folder may be defined at the Application level:
    • Authorization Manager
    • Authorization Store path and name
    • Application name
    • Definitions
    • Task Definitions
  3. Or the Task Definitions folder may be defined at the Scope level:
    • Authorization Manager
    • Authorization Store path and name
    • Application name
    • Scope name
    • Definitions
    • Task Definitions
  4. Double-click the Task Definition.
  5. On the General tab of the Properties dialog box for the task definition, you can type a Name and Description of the task. On the Definition tab, you can specify any tasks, roles, and authorization scripts to be included in task.
  6. Click OK.
back to the top

Creating an Operation Definition

Note To perform this procedure, you must have previously created an authorization store. In the authorization store, you must also have created an application. Operation definitions can be created only in Developer mode, not Administrator mode.
  1. Open Authorization Manager.
  2. In the console tree, right-click Authorization Manager, and then click Options.
  3. Select Developer mode if it is not already selected, and then click OK.
  4. In the Authorization Manager console, right-click the Operation Definitions folder in which to create the operation definition.
    • Authorization Manager
    • Authorization Store path and name
    • Application name
    • Definitions
    • Operation Definitions
  5. Click New Operation Definition.
  6. In the New Operation dialog box, type a Name, a Description and an Operation number.
  7. Click OK.
back to the top

Editing an Operation Definition

Note To perform this procedure, you must have previously created an authorization store.
  1. Open Authorization Manager.
  2. In the console tree, right-click Authorization Manager, and then click Options.
  3. Select Developer mode if it is not already selected, and then click OK.
  4. In the Authorization Manager console, double-click the Operation Definitions folder containing the operation definition you want to edit.
    • Authorization Manager
    • Authorization Store path and name
    • Application name
    • Definitions
    • Operation Definitions
  5. Double-click the operation definition you want to edit.
  6. Type a Name, a Description and an Operation number.
  7. Click OK.
back to the top

Working with Scopes

Creating a Scope



Note To perform this procedure, you must have previously created an authorization store.
  1. Open Authorization Manager.
  2. Select the application in which you want to create the scope.
    • Authorization Manager
    • Authorization Store path and name
    • Application name
  3. Right-click the application, click New Scope.
  4. In New Scope dialog box, type a name and a description for the scope.
  5. Click OK.
back to the top

Editing the Properties of a Scope

Note To perform this procedure, you must have previously created an authorization store.
  1. Open Authorization Manager.
  2. Right-click the scope whose properties you want to edit.
    • Authorization Manager
    • Authorization Store path and name
    • Application name
    • Scope name
  3. Click Properties.
  4. On the General tab of the properties dialog box for the scope, type a name and a description for the scope.
  5. Click the Auditing tab. Click to select or clear the check box to enable or disable Authorization manager auditing.
  6. Click OK.
back to the top

Creating a Role Assignment in a Scope



Note To perform this procedure, you must have previously created an authorization store. In the authorization store.
  1. Open Authorization Manager.
  2. Right-click the Role Assignments folder.
    • Authorization Manager
    • Authorization Store path and name
    • Application name
    • Scope name
    • Role Assignments
  3. Click Assign Role.
  4. Click to select the check boxes of any Role Definitions that you want add to the Role Assignment, and then click OK.
back to the top

Editing Properties of a Role Assignment in a Scope

Note To perform this procedure, you must have previously created an authorization store.
  1. Open Authorization Manager.
  2. Right-click the Role Assignment, and then click Properties.
    • Authorization Manager
    • Authorization Store path and name
    • Application name
    • Scope name
    • Role Assignments
    • Role Assignment
  3. Optionally, you can use the Show Definition button to see or edit the Role Definition upon which the Role Assignment is based, and then click OK in the Role Definition Properties dialog box.
  4. Type a name and a description for the Role Assignment in the Role Assignment Properties dialog box, and then click OK.
back to the top
Modification Type:MajorLast Reviewed:1/22/2006
Keywords:kbMgmtServices kbHOWTOmaster KB324470 kbAudITPro
©2004 Microsoft Corporation. All rights reserved.