Roles
Roles serve two different purposes in Authorization Manager. A role is a set of tasks or operations to which a category of users requires access, and it is also a set of users and groups that fit into that category.
An authorization policy assigns IAzTask objects to an IAzRole object to create sets of tasks. All users and groups assigned to that IAzRole object then have permission to access all operations contained by those IAzTask objects.
Because an IAzRole object represents both a set of tasks and a set of users and groups that have access to those tasks, Authorization Manager provides a way to create role definitions that can be assigned to more than one IAzRole object. An IAzTask object can contain other IAzTask objects. You can then use that IAzTask object as a role definition by assigning it to one or more IAzRole objects. Set the IsRoleDefinition property of the IAzTask object to TRUE to cause the Authorization Manager MMC snap-in user interface to display the IAzTask object as a role.
Assign users and groups to an IAzRole object to grant those users and groups access to the tasks assigned to that IAzRole object by calling the AddMember or AddMemberName method. Assign existing application groups, represented by IAzApplicationGroup objects, to an IAzRole object by calling the AddAppMember method. All users and groups assigned to the IAzRole object have access to the tasks and operations assigned to that role. For more information about application groups, see Users and Groups.