Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The object-based authorization framework maintains access rights in DACLs on the objects. In the role-based model, however, security information is maintained in a separate location from objects, in a policy store.
In Windows, the Authorization Manager allows authorization policy to be stored in either Active Directory, or in files in .xml format, or on an SQL server. Because administrators on the system that contains the authorization policy store have a high degree of access to the store, the authorization policy store is located on a trusted system.
When using the Active Directory store, Authorization Manager creates Active Directory objects for the store itself and child objects for each application group, application, operation, task, role, and scope. The scope object can contain tasks, roles, and groups created in that scope.
Authorization Manager also allows the authorization policy to be stored in .xml format on a file stored on an NTFS file system (protected by an ACL). The XML store can be kept on the same computer as an Authorization Manager server or it can be stored remotely.