Friday, June 13, 2008

Improved Administration of AzMan with DSACLS

I've recently been working with Microsoft Authorization Manager (AzMan) using ADAM for storage. I became frustrated when I noticed that, for administration, AzMan only supports two roles: Administrators and Readers. In our particular implementation, we have a development tier (for application development) a QA tier (for QA testing) and a production tier (for, wait for it, production applications). The idea is that the applications can be defined on each tier and different folks can have access to various application features on the different tiers. For example, developers would have access to all application functions when running in development mode but not when running in production mode.

My desire was to set the development AzMan store so that the developers could create and configure their applications in development and then have their software released to various tiers. Unfortunately, by making them administrators at the store level, they can delete any configured application and delete the store itself. By making them readers they cannot create or configure new applications. It seemed like it was all or nothing here.

Fortunately, I figured out the permission scheme in the underlying ADAM directory service and was able to modify it exactly how I wanted through the use of the DSACLS.EXE program.

The permission set I wanted for developers was read and write and create applications but not delete applications or the authorization store. On our ADAM server, let's say there was an application partition called CN=AzManPartition that was to house our authorization store. By using ADAM ADSI Edit you can see that there is a CN=Roles,CN=AzManPartition container defined where the Administrators and Readers groups are defined. I created a new group here called CN=Developers that I was going to use to put the developers in. If you haven't used ADAM ADSI Edit before it is done like this:

Right-click on CN=Roles,CN=AzManPartition and select New->Object
Choose Group and click Next
Enter the name (in this case Developers) for the cn attribute
For the groupType enter -2147483646 (which denotes a user group)

To edit the membership of this group:

Right-click on CN=Developers,CN=Roles,CN=AzManPartition and select Properties
Find the "member" property and click Edit
Select "Add Windows Account" to add users or groups from Active Directory

One further thing, members of this Developers group will also need read access when we create the store so add the Developers group as a member of the Readers group:

Right-click on CN=Readers,CN=Roles,CN=AzManPartition and select Properties
Find the "member" property and click Edit
Select "Add ADAM Account"
Enter CN=Developers,CN=Roles,CN=AzManPartition and click OK

Now we can create our AzMan store. Run the AzMan snap-in and ensure you're in developer mode:

Right-click on "Authorization Manager" and click Options
Select Developer mode and click OK.

To create the new store:

Right-click on "Authorization Manager" and click "New Authorization Store"
Select "Active Directory"
For the store name enter: msldap://servername:port/CN=AzMan,CN=AzManPartition

Finally, to grant the required rights to developers open the ADAM Tools Command Prompt. I needed to grant Developers the generic read, generic write and create children permissions (not full control as making them administrators would have done). I did this with DSACLS.EXE as follows:

C:\WINDOWS\ADAM>dsacls.exe \\servername:port\CN=AzMan,CN=AzManPartition /I:T /G CN=Developers,CN=Roles,CN=AzManPartition:GR
C:\WINDOWS\ADAM>dsacls.exe \\servername:port\CN=AzMan,CN=AzManPartition /I:T /G CN=Developers,CN=Roles,CN=AzManPartition:GW
C:\WINDOWS\ADAM>dsacls.exe \\servername:port\CN=AzMan,CN=AzManPartition /I:T /G CN=Developers,CN=Roles,CN=AzManPartition:CC

Now developers can create and configure applications in AzMan but if they try to delete anything (or modify permissions) they are denied access.

More information on the different permission sets you can grant with DSACLS.EXE is available here: http://support.microsoft.com/kb/281146

No comments: