Share via

AppFabric Security Simplified

  • Article

The goal of this post is to simplify the overall concepts of AppFabric security so you can understand how to use it in a straightforward manner.  The security model used for AppFabric integrates many different Microsoft technologies and security implementations.  Windows, IIS, SQL Server, .NET, and AppFabric all come into play when viewing the security model.  Security manifests itself in many forms throughout AppFabric.  Some of these include:

·         Database access permissions

·         Secure WCF service endpoints

·         Event Collection service (ECS) and Workflow Management service (WMS) identities

·         Hosting process identity

·         Windows security groups

·         Database accounts and roles

When designing a security model to support your .NET Framework-based services hosted in AppFabric, these concepts integrated together may appear somewhat daunting considering all the possible security alternatives. The good news is that AppFabric does most of the mapping and coordination of it for you. As long as you understand in isolation Windows and IIS security, and database roles, you will be able to easily configure security and trust AppFabric to make it work for you.

Security applies in AppFabric as administrators use its management tools to manually execute control operations. It can also come into play as the identity (NTAUTHORITY\LOCALSERVICE) of one of the system processes (ECS and WMS), or a .NET Framework-based service application during operations that access the monitoring and persistence databases. 

The best approach when designing your application security model for AppFabric is to keep it simple:

  • Preserve your existing way of securing your application using IIS, Windows, .NET, and SQL Server.
  • Use AppFabric security mappings as they are intended and ensure the correct identities are used.

For example, whatever native mechanism you use to secure your WCF endpoints (say by using certificates) or .NET Framework-based services (transport or message security), use it with AppFabric. The persistence and monitoring data stores need to be secure, so leverage database roles and good secure database design principles that you have used successfully in the past.  Populate Windows security groups just as you would for access to any resource. Secure IIS sites and resources by using the same methods and permissions you regularly use. In short, when working with AppFabric, preserve your approach to security for the individual technologies.

The simplicity of the AppFabric security model can be understood by the mappings it provides: 

  • AS_Administrators should be populated with the users that will be performing administrative tasks. The identities of the ECS and WMS should be members of this group.
  • AS_Observers should be populated with the users that will have read-only access to the monitoring and persistence data.

When configuring the databases, use these groups to ensure the correct mapping happens between Windows security groups and database roles.

AppFabric uses SQL Server database roles to control access to its monitoring and persistence data stores. When you initialize a new AppFabric monitoring or persistence data store, several user-defined database security roles are created during installation. Membership of a login account within a SQL Server role dictates how much control over administrative activities and database operations that login account has. A login account can be a member of more than one database role.

AppFabric Roles – These roles have different levels of permission in the database based upon what they need to do.

·         Applications – .NET Framework-based service code. This role maps to the IIS_IUSRS Windows security group. This role uses the persistence database for workflow management under the Persistence Users SQL Server role.

·         Administrators - People who install and manage/administer AppFabric functions.

o   Administrator Observers – Low permission level.   Don’t change config files or stop applications. Just need to read from persistence and monitoring databases.  This role maps to the AS_Observers Windows security group, which is created when AppFabric is installed. It maps to the Persistence Readers and Monitoring Readers SQL Server roles.

o   Administrator Controllers – High permission level for observing  and controlling the state of workflows or applications and management tasks.  Need full access to the persistence and monitoring databases.  This role maps to the AS_ADMIN Windows security group, and to the Persistence Administration, Monitoring Writers, and Monitoring Administrators SQL Server roles.

o   System Services  (ECS and WMS) – Same permissions as Administrator Controllers, since they do similar things. ECS ensures that all tracking and monitoring information gets written to the database, just like the Administrator Controllers.  This role maps to the AS_ADMIN Windows security group, and to the Persistence Administration, Monitoring Writers, and Monitoring Administrators SQL Server roles.

 Here is a diagram to help you understand how the logical AppFabric roles map to Windows security groups, and then to roles in the SQL Server database.