Partager via


Understanding Authorization Rules and Business Rules

Applies To: Windows Server 2008

Important

Authorization Manager is available for use in the following versions of Windows: Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows XP, Windows Vista, Windows 7, and Windows 8. It is deprecated as of Windows Server 2012 R2 and may be removed in subsequent versions.

Authorization rules are scripts written in VBScript or JScript that you can include in role definitions and task definitions. An authorization rule determines whether the role or task is allowed.

By using authorization rules, you can base authorization decisions on any condition that a script can test. These may include privileges and permissions, time of day, billable expense limits, account balances, or other criteria.

Authorization Manager is not designed for writing or debugging authorization rules. You can write your scripts in a text editor (for example, Notepad), in an integrated development environment like Visual Studio .NET, or in another application of your choice. Authorization rules are usually written by professional developers.

More information about creating authorization rules and using the Authorization Manager application programming interfaces (APIs) is available on the Microsoft Web site. See Windows Platform Software Development Kit (SDK) for the Authorization Manager Model (https://go.microsoft.com/fwlink/?linkid=64027). For additional suggested links, see Resources for Authorization Manager.

Controlling the use of business rules and authorization rules

Controlling use on each client

Beginning with this version of Windows, the use of business rules and authorization rules can be controlled by a registry setting. Rules are disabled by default. Previous versions of Windows did not support this functionality.

Generally, you will use a setup program or a script run by the operating system to enable authorization rules and business rules if they are in use in your environment.

Important

This setting is controlled individually for each Authorization Manager application on each client.

The following is a sample script that enables or disables business rules and application rules for an application:

'

' Enabling or disabling BizRules`` for an application

' This script uses Authorization Manager Administrative interfaces to enable or disable

' BizRules for a specified AzMan application in a specified AzMan policy store

On Error Resume Next

Set objArgs = WScript.Arguments

If objArgs.count <> 3 then

wscript.echo "Usage: SetBizRule ""AzManStoreURL"" ""AzApplicaitonName"" True/False"

wscript.echo "Example: SetBizRule ""msxml://d:\inetpub\wwwroot\AzStore.xml"" ""MyApp"" True"

wscript.echo "Run with 'cscript' command in cmd.exe to avoid msg boxes"

Else

' VBScript source code

Dim AzStoreObj

Dim AzManStoreURL : AzManStoreURL = objArgs(0)

Dim AzManAppName : AzManAppName = objArgs(1)

Dim BizRulesEnabled : BizRulesEnabled = objArgs(2)

' create azman object

Set AzStoreObj = CreateObject("AzRoles.AzAuthorizationStore")

If Err.Number > 0 Then

WScript.Echo "Can not create AzRoles.AzAuthorizationStore. Check AzMan installation"

WScript.Quit

End If

' initialize store for Administration

' assumes store exists - if store is being created (e.g. an installing applicaion)

' use the value 3 instead of 2 in the call to IAzAuthorizationStore::initialize

Err.Clear

AzStoreObj.Initialize 2, AzManStoreURL

If Err.Number <> 0 Then

WScript.Echo "AzRoles.AzAuthorizationStore failed to initialize. Check store URL"

WScript.Quit

End If

' open applicaion

set AzApp = AzStoreObj.OpenApplication(AzManAppName)

If Err.Number <> 0 Then

WScript.Echo "AzRoles.AzAuthorizationStore failed to open application: " + AzManAppName + ". Check application Name."

WScript.Quit

End If

' set BizRulesEnabled property

WSCript.Echo "App BizRule Before:" & AzApp.BizRulesEnabled

AzApp.BizRulesEnabled = BizRulesEnabled

WSCript.Echo "App BizRule After:" & AzApp.BizRulesEnabled

If Err.Number = 0 Then

WScript.Echo "BizRulesEnabled is updated successfully."

Else

WScript.Echo "BizRulesEnabled is NOT updated successfully."

End If

End if

Controlling use for the entire authorization store

By configuring the Authorization rule limits on the Limits tab of the authorization store properties sheet, you can:

  • disable authorization rules and business rules for the store, or

  • set a timeout value to limit the maximum length of time to allow a script to run

  • allow scripts to run with no timeout

For more information, see Understanding Authorization Manager Store Limits.

VBScript example

The following is a VBScript authorization rule that always grants permission:   

AzBizRuleContext.BusinessRuleResult = True

For more information about VBScript, see VBScript on the Microsoft Web site (https://go.microsoft.com/fwlink/?linkid=65964).   

JScript example

The following is a JScript authorization rule that always grants permission:   

AzBizRuleContext.BusinessRuleResult = true;

For more information about JScript, see JScript on the Microsoft Web site (https://go.microsoft.com/fwlink/?linkid=65963).