Role-based access control enables you to assign users to roles and to keep track of what permissions have been given to each role. You can also apply very specific control by using scripts called authorization rules. Authorization rules enable you to control the relationship between access control and the structure of your organization.
Authorization Manager can help provide effective control of access to resources in many situations. Generally, two categories of roles often benefit from role-based administration: user authorization roles and computer configuration roles.
User authorization roles are based on a user's job function. You can use authorization roles to authorize access, to delegate administrative privileges, or to manage interaction with computer-based resources. For example, you might define a Treasurer role that includes the right to authorize expenditures and audit account transactions.
Computer configuration roles are based on a computer's function. You can use computer configuration roles to select features that you want to install, to enable services, and to select options. For example, computer configuration roles for servers might be defined for Web servers, domain controllers, file servers, and custom server configurations that are appropriate to your organization.
Using developer mode and administrator mode in Authorization Manager
With Authorization Manager, you can use the following two modes:
Developer mode. In developer mode, you can create, deploy, and maintain applications. You have unrestricted access to all Authorization Manager features.
Administrator mode. This is the default mode. In administrator mode, you can deploy and maintain applications. You have access to all Authorization Manager features, but you cannot create new applications or define operations.
Commonly, Authorization Manager is used by custom applications written for a specific purpose in your environment. These applications usually create, manage, and use an authorization store by calling the Authorization Manager application programming interfaces (APIs). In that case, you do not need to use developer mode. For more information about using Authorization Manager programmatically, see Resources for Authorization Manager.
When you use developer mode, it is recommended that you run Authorization Manager in developer mode only until the authorization store, application, and other necessary objects are created and configured. After you initially set up Authorization Manager, run Authorization Manager in administrator mode. For more information about using developer or administrator mode, see Set Authorization Manager Options.
Comparing Authorization Manager to other management tools
You can use Authorization Manager to implement multiple configuration and permission changes at once. Other management tools available with this version of Windows can also be used to configure access permissions, sometimes in ways comparable to Authorization Manager. These include:
Access control lists. Access control lists (ACLs) on the Security properties tab can be used to manage access control policy for objects stored in Active Directory Domain Services (AD DS), Active Directory Lightweight Directory Services (AD LDS), and Windows objects. Authorization Manager differs from the Security properties tab by letting you base your access control on roles (usually based on particular job tasks), not just on group membership, and by tracking the permissions that have been granted.
Delegation of Control Wizard. The Delegation of Control Wizard also sets multiple permissions automatically; however, unlike Authorization Manager, it does not provide a method to track or remove permissions that have been granted.