Application Security, Part 26

Once one has created an authorization store, one can proceed to use the Management Console snap-in to populate that store for that application. There are four steps to complete.

 

One begins by defining operations. Those are atomic actions that a user can perform within the application, such as selecting a menu option or clicking on a button.

 

The next step is to associate the operations with tasks. Tasks represent objectives that a user may wish to accomplish using the application. So, whereas an operation is what a user might do, a task is why the user might do it, and a single task may involve various operations. An example of a task that a user might wish to complete using Microsoft Outlook is that of sending an e-mail. That task involves more than just the single operation of clicking on the Send button. It might also involve the operations of creating a new mail message, selecting addressees, specifying the subject, and composing the text.

 

After defining operations and associating those with the tasks that they facilitate, the next step is to define roles. Roles are the functions that the users of an application serve within their organization. A user’s role determines what he or she needs to accomplish using the application, so for each role we define, we specify the tasks associated with it.

 

There is one last step to take in populating an authorization store, which is to associate users with the roles. Once that has been accomplished, then, given a user, one can identify the one or roles that person occupies, the tasks he or she may perform, and, consequently, the operations that he or she may perform.