Windows Windows Role-Based Access ControlRole-Based Access ControlLonghorn UpdateLonghorn Update

Windows Windows Role-Based Access ControlRole-Based Access ControlLonghorn UpdateLonghorn Update

Dave McPhersonDave McPhersonProgram ManagerProgram ManagerWindows Core SecurityWindows Core Security

AgendaAgendaRole-Based Access ControlRole-Based Access Control

Microsoft RBAC modelMicrosoft RBAC model

RBAC FuturesRBAC Futures

Authorization Manager (AzMan)Authorization Manager (AzMan)

AzMan Longhorn UpdateAzMan Longhorn Update

DemoDemo

Development ModelDevelopment Model

DiscussionDiscussion

Role-Based Access ControlRole-Based Access Control

Limits of object centric authorizationLimits of object centric authorizationHard to manage/queryHard to manage/queryProblems in distributed environmentsProblems in distributed environments

RBAC - Move focus of management from resources to rolesRBAC - Move focus of management from resources to rolesPermissions managed and queried at the rolePermissions managed and queried at the role

Roles are groups of people than need specific permissions Roles are groups of people than need specific permissions to do specific jobsto do specific jobs

Often align with organizational job descriptionsOften align with organizational job descriptionsApplication use casesApplication use cases

Roles vs. GroupsRoles vs. GroupsGroup is a collection of related peopleGroup is a collection of related people

Applies to security, email group, friends list, …Applies to security, email group, friends list, …

Roles grant specific permissionsRoles grant specific permissionsGroups w/ more featuresGroups w/ more features

Permissions, Scope, Separation of Power, …Permissions, Scope, Separation of Power, …

RoleRoleUser assignment of access rights to specific User assignment of access rights to specific resources needed to do a jobresources needed to do a job

OperationOperationLow-level permission in a applicationLow-level permission in a application

Task (Permission)Task (Permission)Group of operations that make sense to Group of operations that make sense to administratorsadministrators

ScopeScopeCollection of resources with common policyCollection of resources with common policy

Authorization Policy StoreAuthorization Policy Store Place to store authorization policyPlace to store authorization policy

Role-Based Access ControlRole-Based Access Control

Role-Based Access ControlRole-Based Access Control

Role

Permissions

Users

Resources

Deployment

Design

RBAC ManagementRBAC Management

Policy StorePolicy StoreStorage in AD, XML, SQLStorage in AD, XML, SQL

RoleRolePermissions needed to Permissions needed to do a jobdo a job

TaskTaskWork units that make senseWork units that make sense

to administratorsto administrators

OperationOperationApplication action thatApplication action that

developer writes dedicateddeveloper writes dedicated

code for.code for.

DatabaseOperation

WebOperation

DirectoryOperation

PaymentSystem

Operation

AuditorApproverSubmitter

ChangeApprover

ApproveDeny

Payment

ApproveReject Report

SubmitReport

CancelReport

CheckStatus

XML SQL*

Policy Store

Role Definitions & Assignments, Role Definitions & Assignments, ScopesScopes

Submitter Auditor

Approver: Approver: QueryGroup_D1Mgrs QueryGroup_D1Mgrs Auditor: Auditor: Jane, LizzyJane, Lizzy

Approver: Approver: ADGroup_D2MgrsADGroup_D2Mgrs AuditorAuditor: : Jane, CharlieJane, Charlie

Submitter : Everyone : Everyone

Scope: Scope: Dept 01Dept 01

Scope: Scope: Dept 02Dept 02

Role DefinitionsApprover

Dept 01Dept 01Role Assignments:Role Assignments:

Dept 02Dept 02Role Assignments:Role Assignments:

Web ExpenseRole Assignments:

Scope: Scope: AppApp

ExpenseApplication

Organizational RBAC Organizational RBAC TodayToday

Web ExpenseApplication

SupplyApplication

3rd party Application

Use AD Groups to populate Application level Roles

AzMan

Employee Employee Employee

MIIS Rules +Management Agents

ACL’edApplication

Employee

Employee Role(AD Group)

RMApplication

Employee

RBAC Beyond LonghornRBAC Beyond Longhorn

Web ExpenseApplication

SupplyApplication

3rd party Application

Integrates DRM, provides for queries and compliance audits

Access ControlAuthoring / Provisioning

Services+ Connectors

ACL’edApplication

Authorization ManagerAuthorization Manager(An Application RBAC (An Application RBAC implementation)implementation)

ProductProductAdministration InterfacesAdministration InterfacesRuntime enforcementRuntime enforcementMulti-Application UIMulti-Application UI

PlatformsPlatformsWindows 2000Windows 2000Windows XPWindows XPWindows Server 2003Windows Server 2003Managed CodeManaged Code

Interop assembly (included on WS03, avail Interop assembly (included on WS03, avail XP, 2K)XP, 2K)

Authorization ManagerAuthorization Manager

AzMan v1 Goals and AzMan v1 Goals and FeaturesFeaturesGoalsGoals

Simple authorization that integrates platform featuresSimple authorization that integrates platform featuresRBAC model targeting applicationsRBAC model targeting applicationsSolution for Line of Business web applicationsSolution for Line of Business web applications

FeaturesFeaturesSimple RBAC model for applicationsSimple RBAC model for applications

Support for managed* or native applicationsSupport for managed* or native applications

BizRules (Authorization Rule)BizRules (Authorization Rule)Script to dynamically modify access decisionScript to dynamically modify access decision

Application GroupsApplication GroupsApplication specific, late-bound, flexibleApplication specific, late-bound, flexible

Authorization Policy StoreAuthorization Policy Store Place to store authorization policy (xml/AD/ADAM)Place to store authorization policy (xml/AD/ADAM)

AzMan MMC Common UIAzMan MMC Common UI

Multiple ApplicationsMultiple Applications

Application GroupsApplication GroupsStore-level (Global to Store-level (Global to Apps in Store )Apps in Store )

Assign Store-level Assign Store-level Groups to Application Groups to Application RolesRoles

New For LonghornNew For Longhorn

SQL Storage SupportSQL Storage SupportProvide SQL storage mechanismProvide SQL storage mechanismPopular request of departmental appsPopular request of departmental apps

Common RBAC queriesCommon RBAC queriesImproves RBAC managementImproves RBAC managementImproves performanceImproves performance

Expanded LDAP Query supportExpanded LDAP Query supportQueries on any DN (not just users)Queries on any DN (not just users)

Expanded BizRule supportExpanded BizRule supportSupport group membership based on rulesSupport group membership based on rulesADFS Claims, User attributes, etc.ADFS Claims, User attributes, etc.

New For LonghornNew For Longhorn

UI object picker customizationUI object picker customizationAdd support for Apps to provide ADAM Add support for Apps to provide ADAM object pickerobject picker

Enhanced / Debugging LoggingEnhanced / Debugging LoggingMore debugging APIMore debugging API

Improve V1 logging supportImprove V1 logging supportLog more events, easier to useLog more events, easier to use

Longhorn ImprovementsLonghorn Improvements

Simplify developer experience Simplify developer experience Role-definition objectRole-definition objectSimplify Biz Rule usageSimplify Biz Rule usage

Performance improvementsPerformance improvementsOptimized interfaces for managed Optimized interfaces for managed applicationapplication

Store creationStore creation

Application initializationApplication initialization

Pending Longhorn PlansPending Longhorn Plans

AD Application partition supportAD Application partition supportSupport deployment into NDNCsSupport deployment into NDNCs

Improved replication controlImproved replication control

Reduces deployment requirementsReduces deployment requirements

Improved delegationImproved delegationDelegate role assignment capabilitiesDelegate role assignment capabilities

Role-based AuthorizationRole-based Authorization

DemoDemoWeb Expense applicationWeb Expense application

AuthorizationPolicy Store

AuthorizationPolicy Store

Action performed in Action performed in server context on server context on behalf of client, behalf of client, Audits generated at Audits generated at front and back endfront and back end

Web browser Web browser client submits client submits expenseexpense

Server verifies Server verifies access against access against authorization authorization policy in policy in separate storeseparate store

WebWebExpenseExpense

Manager approves Manager approves expenseexpense

Development ModelDevelopment Model

AzMan Application ModelAzMan Application ModelTrusted SubsystemTrusted Subsystem

AuthorizationPolicy Store

AuthorizationPolicy Store

Action performed in Action performed in server context on server context on behalf of clientbehalf of client

Audits generated at Audits generated at front and back endfront and back end

Client RequestClient Request

Server verifies Server verifies access against access against authorization authorization policy in policy in separate storeseparate store

ResponseResponse

AzManAzManAPPAPP

Development ModelDevelopment ModelApplication DevelopmentApplication Development

Implement operationsImplement operationsMethods or functionsMethods or functions

Design TasksDesign TasksHigh level application activities – friendlyHigh level application activities – friendly

BizRule scriptsBizRule scriptsKeep em simple, Callback interface, Keep em simple, Callback interface, example:example:

AzBizRuleContext.BusinessRuleResult = FALSEAzBizRuleContext.BusinessRuleResult = FALSE

Amnt = AzBizRuleContext.GetParameter("Amnt")Amnt = AzBizRuleContext.GetParameter("Amnt")

if Amnt < 100 then if Amnt < 100 then AzBizRuleContext.BusinessRuleResult = TRUEAzBizRuleContext.BusinessRuleResult = TRUE

Declare Policy definition via scriptDeclare Policy definition via scriptOperations, Tasks (w/ BizRules), RolesOperations, Tasks (w/ BizRules), Roles

Set App = Set App = AzManStore.CreateApplication("Expense")AzManStore.CreateApplication("Expense")

App.CreateOperation(“retrieveForm")App.CreateOperation(“retrieveForm")

App.CreateOperation("queueRequest")App.CreateOperation("queueRequest")

Set Task=App.CreateTask("Submit Expense")Set Task=App.CreateTask("Submit Expense")

Task1.AddOperation CStr(“retrieveForm")Task1.AddOperation CStr(“retrieveForm")

Task1.AddOperation CStr("queueRequest“)Task1.AddOperation CStr("queueRequest“)

Development ModelDevelopment ModelInstallInstall

Development ModelDevelopment ModelRuntimeRuntime'------- at application boot --'------- at application boot --

AzPol.Initialize 0,"msldap://CN=MyStore,DC=…AzPol.Initialize 0,"msldap://CN=MyStore,DC=…

App = AzStore.OpenApplication("Expense")App = AzStore.OpenApplication("Expense")

'------- at client Connect --'------- at client Connect --

Context = App.InitializeClientContextFromContext = App.InitializeClientContextFrom

'------- on request --'------- on request --

Context.AccessCheck(“audit",Scope,OperationsContext.AccessCheck(“audit",Scope,Operations,Names,Values),Names,Values)

Authorization ManagerAuthorization ManagerKey BenefitsKey Benefits

Administrator BenefitAdministrator BenefitCommon application RBAC modelCommon application RBAC model

Simpler authorization policySimpler authorization policyBetter query supportBetter query support

Role based user provisioningRole based user provisioningOrganizational roles > App RolesOrganizational roles > App RolesDelegation (AD store)Delegation (AD store)

Common Administration EasyCommon Administration EasyHide complexity of operationsHide complexity of operationsDefining roles, tasks rareDefining roles, tasks rareMaintaining Roles & Groups simpleMaintaining Roles & Groups simple

Developer BenefitsDeveloper BenefitsSimple & Natural Role-based Simple & Natural Role-based DevelopmentDevelopment

Integrates managed or native apps.Integrates managed or native apps.

Advanced RBAC featuresAdvanced RBAC featuresBizRulesBizRules

Application Application GroupsGroups

Platform integrationPlatform integrationSupport for AD attributes and groupsSupport for AD attributes and groups

NT access tokenNT access token

Platform services do the hard workPlatform services do the hard workPolicy storage, Common UI Policy storage, Common UI

Built-in caching, Late-binding supportBuilt-in caching, Late-binding support

Windows Auditing integrationWindows Auditing integration

Leverage the systemLeverage the systemDon’t write your own access Don’t write your own access controlcontrolCostCost

Each authorization model expensive to design, Each authorization model expensive to design, develop, test and maintain and supportdevelop, test and maintain and support

TrainingTrainingEach authorization model must be learned by Each authorization model must be learned by administrators, PSSadministrators, PSS

SecuritySecurityFeatures like auditing, delegation of Features like auditing, delegation of administration, accurate group expansion are administration, accurate group expansion are important to access controlimportant to access control

© 2005 Microsoft Corporation. All rights reserved.© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.