Does anyone use Windows Authorization Manager (AzMan) anymore for "greenfield" projects? If so, are there any benefits to using the technology in an ASP.NET application as a membership/role provider?
Microsoft AzMan (Authorization Manager) is a role-based access and security framework for . NET applications. It offers a way for administrators to manage policies for authorization and runtimes that permit applications to execute access checks against those policies.
Authorization Manager provides an administration tool as a Microsoft Management Console (MMC) snap-in to manage roles, tasks, operations, and users. Administrators configure an Authorization Manager policy store in an XML file, Active Directory, or in an Active Directory Application Mode (ADAM) store.
The answer appears to be no. No one has answered this question, and a blog question posted in 2004 along with some more recent comments appear to convey mostly negative experiences folks have had. NetSqlAzMan would be worth investigating.
http://weblogs.asp.net/lorenh/archive/2004/02/24/79218.aspx
Some choice comments from the link:
1.
Udi Dahan - The Software Simplist said: Saw it at a local .Net user group some time ago. Seemed nice, except for the interop.
One other thing is the ability to perform "business tasks" that are really only script.
Should the interop go away, and be able to call .Net code for business tasks, this would truly be a killer.
2.
Chris Bilson said: We have it fully integrated into our ASP.NET application. The Interop part really sucks when you have defined alot of operations and are doing lots of authorization checks. It's a real performance killer.
I have my own wrapper class that invokes my "Business Tasks" when an access check is performed.
I feel kind of frustrated that there isn't more information about this tool, as I agree that it is nice way to get out of hard coding role checks into my application - something that would not be acceptable in my case due to varying customer defintions of what a "Manager" is and what they can do.
3.
Dominick Baier said: hi,
i love azman! i have written some stuff on it on www.leastprivilege.com - especially that ability to use non-windows accounts is very cool!
dominick
4.
Mathertel said: Yes, we use it in a .NET Web Application, built a wrapper and a bunch of additional tools to work with (a lot of tools are missing in the MMC snapin)
5.
Tom Bruns said: I have used AzMan extensively in a large .NET Web application. I think that the conceptual model is very good. However, there is alot of "lessons learned" concerning how to correctly architect the application to use it relative to performance, ongoing maintaince of the policy store, interaction with ADAM etc. If I can be of any help please feel free to email me. Replace nospam with com in my email address. Used correctly it can perform very well.
6.
Horea Hopartean said: We tried to use it and keep its repository on a Win2003 AD, but at 10000 users it took 13 (thirteen) seconds to do an OpenApplication call.
That and the ugly API may be good reasons why it hasn't got any traction so far :)
7.
news75 said: Hi, I have the same problem.
I'm comparing Visual Guard, AzMan, NetSqlAzMan and the feature provided from the framework .net 3.0.
At the moment I'm prefering NetSqlAzMan. It's well integrated with .net framework, the comunity is active, is Open Source. Yes there are some limitation: Only Window or custum Authentication and Microsoft SQLManager, but...
I'm wondering: why this argument is so underestimates!?
8.
Riverway said: I am developing an Enterprise RBAC system using Azman with AD store. To overcome the slow performance, I wrote a wrapper class which access directly Azman in AD's OU structure using LDAP query. Another thing to mention is that Azman of Windows Server 2008 version has capability to create data store in SQL2008 database. My biggest complain is that Security Dialog for any resources (folders, disks, etc) does not recognize Azman defined groups or roles as available identity. This makes really difficult to integrate RBAC which encompass ERP and other enterprise roles AND Windows Resource Access Control at the same time unless you write an application which can write on AD directly.
9.
James said: We used azman on our project and it sucks. We've had a ton of problems with interoperability, and it didn't work for our developers using Win7 when the .xml file was made on a win2003 machine. We even went as far as reporting a bug to Microsoft. It does a ton of COM BS like randomly not working and saying E_INVALIDARG, whatever that means. This is one of the technologies I want to remove from our project when I get a chance.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With