Authorization Store

What is an Authorization Store?
This week I had to configure the Authorization Store for the RDM software. I must admit that this was a first for me. I didn't even know what a Authorization Store was before I did this. I soon found out that an authorization store is use to provide the authorization part of security. What I mean is that when you log into the software you have passed the authentication part. In other words, the system knows who you are and now comes the authorization part. The system now needs to know what kind of access is associated to your account. That is where Authorization Store comes in. In the software is some functions that do certain things like create distribution list, write log files, and request file transfers. Each function has an access list associated with it. It looks to see who has access to perform these functions from Authorization Store.

Configuring an Authorization Store -
To configure Authorization Store you must open Authorization Manager (AzMan) by added it as a snap-in in MMC or Start>Run>AzMan.msc. Once open, click on Action>New Authorization Store. You can use AD (must be in 2003 function mode) or and XML file. We chose to use AD. Add "CN=StoreName" to the left of the LDAP string. Next you will right-click on the store name and choose "New Application". Name the application. Next you would want to start by creating some Operation Definitions. Drill down to Definitions>Operation Definitions. Here you will start added definitions that that software uses based on the operation number. We got this list from our application developers. Once all the Operation Definitions are complete you would want to start adding Task Definitions. Task Definitions are linked to a series of Operations Definitions. Again, we got this list from our application developers. After that we now have Role Definitions. Create a new Role Definition and name it like Administrators. Then add Task and/or Operations definitions. For the case of Administrators we added all the tasks which is everything. For the sake of Power Users you must add Operations or Task that you seem fit. For common users just add Read and Execute Operations that you created and so on. Further on, we created Scopes to represent the Global and Country people. Global people will have access on every machine while country users will have access to their specific country based on a country code in AD user account. So after creating the Global scope we create 2 role definitions called Global Admins and Global Users. Then in the Global Admins definitions we add the Administrator role that we created in the last paragraph. For Global User you would add the Common User role and so on. Then do the same with Country scope but for Country Admins and Country Users as the role definitions.

Did I confuse you yet? Good. Let’s do a Recap. In the Auth Store we have applications, in applications we have Scopes, and inside scopes are definitions (Roles, Tasks, and Operations) and Role Assignments. In the root Scope lies the 3 Role Definitions we created (Admin, Power User, Common User), A few Task Definitions, and a whole bunch of Operation Definitions. Now we added 2 more scopes (Global and Country) each with their own 2 Role Definitions (Ex. Global Admins and Global Users) that are linked to Admins and Common Users in the Root Role Definitions.

Good?? Now let's finish up. Next we want to Assign Roles. So then, on the "Role Assignment" folder we would right-click and choose "Assign Roles". Then pick the Role Definition you just created (ex. Global Admins). After that we would want to assign windows users and groups. Right-click on the Role under Role Assignments and choose "Assign Windows Users and Groups", pick the AD group you are using for this (ex. US-RDM Global Admins) and then you are down. Recap Again. Each scope has 2 Role Assignments (ex. Global Admins and Global Users) that have Active Directory Groups assign to them call "US-RDM Global Admins" and "US-RDM Global Users". In these AD groups we assign user accounts to fit these roles.

To conclude, the hierarchical structure from the user to the software goes something like this:
AD Users>AD Groups>Scope Role Assignments>Scope Role Definitions>Root Role Definitions>Assigned Root Task Definitions>Assigned Root Operations Definitions>Then linked to the ACL on the function inside the software.