Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows Role-Based Access Control Longhorn Update

Published byKelly Miles Modified over 8 years ago

Similar presentations

Presentation on theme: "Windows Role-Based Access Control Longhorn Update"— Presentation transcript:

1 Windows Role-Based Access Control Longhorn Update
Dave McPherson Program Manager Windows Core Security

2 Agenda Role-Based Access Control Microsoft RBAC model RBAC Futures
Authorization Manager (AzMan) AzMan Longhorn Update Demo Development Model Discussion

3 Role-Based Access Control
Limits of object centric authorization Hard to manage/query Problems in distributed environments RBAC - Move focus of management from resources to roles Permissions managed and queried at the role Roles are groups of people than need specific permissions to do specific jobs Often align with organizational job descriptions Application use cases Roles vs. Groups Group is a collection of related people Applies to security, group, friends list, … Roles grant specific permissions Groups w/ more features Permissions, Scope, Separation of Power, …

4 Role-Based Access Control
User assignment of access rights to specific resources needed to do a job Operation Low-level permission in a application Task (Permission) Group of operations that make sense to administrators Scope Collection of resources with common policy Authorization Policy Store Place to store authorization policy

5 Role-Based Access Control
Permissions Role Users Resources

6 RBAC Management Deployment Design XML SQL* Policy Store Role Task
Storage in AD, XML, SQL Role Permissions needed to do a job Task Work units that make sense to administrators Operation Application action that developer writes dedicated code for. Policy Store Auditor Approver Submitter Design Change Approver Approve Deny Payment Reject Report Submit Cancel Check Status Web Operation Database Operation Payment System Operation Directory Operation

7 Role Definitions & Assignments, Scopes
Expense Application Role Definitions Submitter Approver Auditor Submitter : Everyone Scope: App Web Expense Role Assignments: Approver: QueryGroup_D1Mgrs Auditor: Jane, Lizzy Dept 01 Role Assignments: Scope: Dept 01 Approver: ADGroup_D2Mgrs Auditor: Jane, Charlie Scope: Dept 02 Dept 02 Role Assignments:

8 Organizational RBAC Today
MIIS Rules + Management Agents Use AD Groups to populate Application level Roles Employee Role (AD Group) AzMan Web Expense Application Supply Application RM Application ACL’ed Application 3rd party Application Employee Employee Employee Employee Employee

9 Authoring / Provisioning
RBAC Beyond Longhorn Integrates DRM, provides for queries and compliance audits Access Control Authoring / Provisioning Services + Connectors Web Expense Application Supply Application ACL’ed Application 3rd party Application

10 Authorization Manager (An Application RBAC implementation)

11 Authorization Manager
Product Administration Interfaces Runtime enforcement Multi-Application UI Platforms Windows 2000 Windows XP Windows Server 2003 Managed Code Interop assembly (included on WS03, avail XP, 2K)

12 AzMan v1 Goals and Features
Simple authorization that integrates platform features RBAC model targeting applications Solution for Line of Business web applications Features Simple RBAC model for applications Support for managed* or native applications BizRules (Authorization Rule) Script to dynamically modify access decision Application Groups Application specific, late-bound, flexible Authorization Policy Store Place to store authorization policy (xml/AD/ADAM)

13 AzMan MMC Common UI Multiple Applications Application Groups
Store-level (Global to Apps in Store ) Assign Store-level Groups to Application Roles

14 New For Longhorn SQL Storage Support Common RBAC queries
Provide SQL storage mechanism Popular request of departmental apps Common RBAC queries Improves RBAC management Improves performance Expanded LDAP Query support Queries on any DN (not just users) Expanded BizRule support Support group membership based on rules ADFS Claims, User attributes, etc.

15 New For Longhorn UI object picker customization
Add support for Apps to provide ADAM object picker Enhanced / Debugging Logging More debugging API Improve V1 logging support Log more events, easier to use

16 Longhorn Improvements
Simplify developer experience Role-definition object Simplify Biz Rule usage Performance improvements Optimized interfaces for managed application Store creation Application initialization

17 Pending Longhorn Plans
AD Application partition support Support deployment into NDNCs Improved replication control Reduces deployment requirements Improved delegation Delegate role assignment capabilities

18 Role-based Authorization

19 Demo Web Expense application
Authorization Policy Store Web browser client submits expense Server verifies access against authorization policy in separate store Web Expense Manager approves expense Action performed in server context on behalf of client, Audits generated at front and back end

20 Development Model

21 AzMan Application Model Trusted Subsystem
Authorization Policy Store Server verifies access against authorization policy in separate store Client Request AzMan APP Response Action performed in server context on behalf of client Audits generated at front and back end

22 Development Model Application Development
Implement operations Methods or functions Design Tasks High level application activities – friendly BizRule scripts Keep em simple, Callback interface, example: AzBizRuleContext.BusinessRuleResult = FALSE Amnt = AzBizRuleContext.GetParameter("Amnt") if Amnt < 100 then AzBizRuleContext.BusinessRuleResult = TRUE

23 Development Model Install
Declare Policy definition via script Operations, Tasks (w/ BizRules), Roles Set App = AzManStore.CreateApplication("Expense") App.CreateOperation(“retrieveForm") App.CreateOperation("queueRequest") Set Task=App.CreateTask("Submit Expense") Task1.AddOperation CStr(“retrieveForm") Task1.AddOperation CStr("queueRequest“)

24 Development Model Runtime
' at application boot -- AzPol.Initialize 0,"msldap://CN=MyStore,DC=… App = AzStore.OpenApplication("Expense") ' at client Connect -- Context = App.InitializeClientContextFrom ' on request -- Context.AccessCheck(“audit",Scope,Operations,Names,Values)

25 Authorization Manager Key Benefits

26 Administrator Benefit
Common application RBAC model Simpler authorization policy Better query support Role based user provisioning Organizational roles > App Roles Delegation (AD store) Common Administration Easy Hide complexity of operations Defining roles, tasks rare Maintaining Roles & Groups simple

27 Developer Benefits Simple & Natural Role-based Development
Integrates managed or native apps. Advanced RBAC features BizRules Application Groups Platform integration Support for AD attributes and groups NT access token Platform services do the hard work Policy storage, Common UI Built-in caching, Late-binding support Windows Auditing integration

28 Leverage the system Don’t write your own access control
Cost Each authorization model expensive to design, develop, test and maintain and support Training Each authorization model must be learned by administrators, PSS Security Features like auditing, delegation of administration, accurate group expansion are important to access control

29 © 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Download ppt "Windows Role-Based Access Control Longhorn Update"

Similar presentations

EasyDirector® Simplifying the way you manage your business... Full-Featured Contact & Customer Relationship Management Tool Prepared by AITechConsulting.

EasyDirector® Simplifying the way you manage your business... Full-Featured Contact & Customer Relationship Management Tool Prepared by AITechConsulting.
File Server Organization and Best Practices IT Partners June, 02, 2010.

File Server Organization and Best Practices IT Partners June, 02, 2010.
How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.

How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.
Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.

Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
DEV392: Extending SharePoint Products And Technologies Through Web Parts And ASP.NET Clint Covington, Program Manager Data And Developer Services - Office.

DEV392: Extending SharePoint Products And Technologies Through Web Parts And ASP.NET Clint Covington, Program Manager Data And Developer Services - Office.
Building Enterprise Applications Using Visual Studio ®.NET Enterprise Architect.

Building Enterprise Applications Using Visual Studio ®.NET Enterprise Architect.
1 Secure Information Sharing Manager (SIS-M) Thesis 2007 Stephen D. Wise

1 Secure Information Sharing Manager (SIS-M) Thesis 2007 Stephen D. Wise
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
Project Server “12”: Developing Project Management Solutions Phil Smail OFF311 Program Manager Microsoft Project Business Unit.

Project Server “12”: Developing Project Management Solutions Phil Smail OFF311 Program Manager Microsoft Project Business Unit.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,

Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Administering Active Directory

Administering Active Directory
Kalpesh Patel Ramprabhu Rathnam

Kalpesh Patel Ramprabhu Rathnam
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Identity and Access Management

Identity and Access Management
Understanding Active Directory

Understanding Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

Similar presentations

Ads by Google