This was going to be a single post, but it got too long - so this first part introduces Authorization Manager and describes how to get it setup, and the second part will discuss how to apply this technology in the ArcGIS environment.
Authorization ManagerAlso known as AzMan, this is a component of Windows Server 2003 which provides a "role-based" security store along with a developer API that you can work against. At it's core, AzMan works with "Operations" to which access is granted or revoked based on role membership. In addition to working directly with roles and groups on the local machine or in Active Directory, AzMan can also manage it's own roles and groups. This is very convenient if IT policy does not allow you to have application specific roles & groups in Active Directory itself. Although the AzMan API (azroles.dll) is installed on XP by default, you need to download the Windows Server 2003 admin kit to get the managment console snap-in. If you are running in Vista or Windows Server 2003, this is already installed.
How it works (30,000 foot view)
The application uses AzMan to ask if a user has access to a particular Operation. AzMan looks at the users group & role membership and determines if they have access. Simple & clean.
This is very nice in that it provides a layer of indirection between your application code and the authorization system. As long as the authorization system knows about the operations you application is going to request, it does not matter how the users are granted access (via Active Directory roles & groups, via AzMan roles & groups, or via individual users). This is much preferable to writing an application which depends on specific roles & groups to exist in Active Directory.
Using AzMan
Before we start building an application, we need to setup an AzMan repository that we can use to control access to our functions. For this example we are using an Xml file to store the repository but it's also worth noting that you can store it in Active Directory. Again, I highly recommend Keith Brown's screen casts for the details. At a high-level, these are the steps:
AzMan API
Now that we have our (basic) repository, we area ready to use AzMan to secure our code, and we do this via the API. The AzMan API is a set of COM classes located in AZROLES.dll. And while we can access this library directly, I would recommend creating a utility class that hides a lot of the details. In the next posting, I will include an "AzManHelper" class (derived from a C# class from Keith Brown ) in the sample code which does just this. Basically it just exposes a "CheckAccess" method which returns a boolean. For now, I recommend taking a look at Keith's screen casts on Channel9, and checking out his sample code (links below)
Up Next...In the next posting I'll cover how you can use this to add role based security into your ArcGIS applications and provide some sample code.
Keith Brown's Channel9 Screencasts:Getting Started with AzMan Programming AzMan – Code SampleAzMan in the Enterprise – Code Sample
I'm Dave and this is my blog. I'm usually writing about .NET Software Development, ArcGIS, or Agile Practices, but other stuff does creep in from time to time. I hope you find something of use, and feel free to contact me if you have any questions. You can also check out my profile on LinkedIn
dojo.DTSAgile.com is our technology preview / demo site. As I and my team cook up cool things we post them here.
ArcDeveloper.net is a site that hosts a set of open source projects related to ArcGIS. This includes Tile Cache for .NET (TC4N) and Feature Server for .NET (FS4N). Come over and check it out!
Assembla is a free service that provides Subversion source control, wikis and work Tracking. The ArcDeveloper project is run from here. It rocks. Check them out today.
Agilistas is a LinkedIn group focused on discussing and promoting Agile practices. Everyone is welcome to join in the conversation as we evolve the process of creating software to make it more enjoyable for all involved.