Windows Role-Based Access Control Longhorn Update Dave McPherson Program Manager Windows Core Security
Agenda Role-Based Access Control Microsoft RBAC model RBAC Futures Authorization Manager (AzMan) AzMan Longhorn Update Demo Development Model Discussion
Role-Based Access Control Limits of object centric authorization Hard to manage/query Problems in distributed environments RBAC - Move focus of management from resources to roles Permissions managed and queried at the role Roles are groups of people than need specific permissions to do specific jobs Often align with organizational job descriptions Application use cases Roles vs. Groups Group is a collection of related people Applies to security, email group, friends list, … Roles grant specific permissions Groups w/ more features Permissions, Scope, Separation of Power, …
Role-Based Access Control User assignment of access rights to specific resources needed to do a job Operation Low-level permission in a application Task (Permission) Group of operations that make sense to administrators Scope Collection of resources with common policy Authorization Policy Store Place to store authorization policy
Role-Based Access Control Permissions Role Users Resources
RBAC Management Deployment Design XML SQL* Policy Store Role Task Storage in AD, XML, SQL Role Permissions needed to do a job Task Work units that make sense to administrators Operation Application action that developer writes dedicated code for. Policy Store Auditor Approver Submitter Design Change Approver Approve Deny Payment Reject Report Submit Cancel Check Status Web Operation Database Operation Payment System Operation Directory Operation
Role Definitions & Assignments, Scopes Expense Application Role Definitions Submitter Approver Auditor Submitter : Everyone Scope: App Web Expense Role Assignments: Approver: QueryGroup_D1Mgrs Auditor: Jane, Lizzy Dept 01 Role Assignments: Scope: Dept 01 Approver: ADGroup_D2Mgrs Auditor: Jane, Charlie Scope: Dept 02 Dept 02 Role Assignments:
Organizational RBAC Today MIIS Rules + Management Agents Use AD Groups to populate Application level Roles Employee Role (AD Group) AzMan Web Expense Application Supply Application RM Application ACL’ed Application 3rd party Application Employee Employee Employee Employee Employee
Authoring / Provisioning RBAC Beyond Longhorn Integrates DRM, provides for queries and compliance audits Access Control Authoring / Provisioning Services + Connectors Web Expense Application Supply Application ACL’ed Application 3rd party Application
Authorization Manager (An Application RBAC implementation)
Authorization Manager Product Administration Interfaces Runtime enforcement Multi-Application UI Platforms Windows 2000 Windows XP Windows Server 2003 Managed Code Interop assembly (included on WS03, avail XP, 2K)
AzMan v1 Goals and Features Simple authorization that integrates platform features RBAC model targeting applications Solution for Line of Business web applications Features Simple RBAC model for applications Support for managed* or native applications BizRules (Authorization Rule) Script to dynamically modify access decision Application Groups Application specific, late-bound, flexible Authorization Policy Store Place to store authorization policy (xml/AD/ADAM)
AzMan MMC Common UI Multiple Applications Application Groups Store-level (Global to Apps in Store ) Assign Store-level Groups to Application Roles
New For Longhorn SQL Storage Support Common RBAC queries Provide SQL storage mechanism Popular request of departmental apps Common RBAC queries Improves RBAC management Improves performance Expanded LDAP Query support Queries on any DN (not just users) Expanded BizRule support Support group membership based on rules ADFS Claims, User attributes, etc.
New For Longhorn UI object picker customization Add support for Apps to provide ADAM object picker Enhanced / Debugging Logging More debugging API Improve V1 logging support Log more events, easier to use
Longhorn Improvements Simplify developer experience Role-definition object Simplify Biz Rule usage Performance improvements Optimized interfaces for managed application Store creation Application initialization
Pending Longhorn Plans AD Application partition support Support deployment into NDNCs Improved replication control Reduces deployment requirements Improved delegation Delegate role assignment capabilities
Role-based Authorization
Demo Web Expense application Authorization Policy Store Web browser client submits expense Server verifies access against authorization policy in separate store Web Expense Manager approves expense Action performed in server context on behalf of client, Audits generated at front and back end
Development Model
AzMan Application Model Trusted Subsystem Authorization Policy Store Server verifies access against authorization policy in separate store Client Request AzMan APP Response Action performed in server context on behalf of client Audits generated at front and back end
Development Model Application Development Implement operations Methods or functions Design Tasks High level application activities – friendly BizRule scripts Keep em simple, Callback interface, example: AzBizRuleContext.BusinessRuleResult = FALSE Amnt = AzBizRuleContext.GetParameter("Amnt") if Amnt < 100 then AzBizRuleContext.BusinessRuleResult = TRUE
Development Model Install Declare Policy definition via script Operations, Tasks (w/ BizRules), Roles Set App = AzManStore.CreateApplication("Expense") App.CreateOperation(“retrieveForm") App.CreateOperation("queueRequest") Set Task=App.CreateTask("Submit Expense") Task1.AddOperation CStr(“retrieveForm") Task1.AddOperation CStr("queueRequest“)
Development Model Runtime '------- at application boot -- AzPol.Initialize 0,"msldap://CN=MyStore,DC=… App = AzStore.OpenApplication("Expense") '------- at client Connect -- Context = App.InitializeClientContextFrom '------- on request -- Context.AccessCheck(“audit",Scope,Operations,Names,Values)
Authorization Manager Key Benefits
Administrator Benefit Common application RBAC model Simpler authorization policy Better query support Role based user provisioning Organizational roles > App Roles Delegation (AD store) Common Administration Easy Hide complexity of operations Defining roles, tasks rare Maintaining Roles & Groups simple
Developer Benefits Simple & Natural Role-based Development Integrates managed or native apps. Advanced RBAC features BizRules Application Groups Platform integration Support for AD attributes and groups NT access token Platform services do the hard work Policy storage, Common UI Built-in caching, Late-binding support Windows Auditing integration
Leverage the system Don’t write your own access control Cost Each authorization model expensive to design, develop, test and maintain and support Training Each authorization model must be learned by administrators, PSS Security Features like auditing, delegation of administration, accurate group expansion are important to access control
© 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.