IT:AD:NETSqlAzMan

Summary

Unlike IT:AD:AzMan (which is a RBAC system), NetSqlAzman is a Permissions/Operations based Authorisation Control system.

The system checks fine-grain Permissions of the User, without bothering to check for permissions on the Object (as oppossed to a DAC system).

It's appropriate for a lot of applications – as long as there isn't a notion of PerItem authentication (in which case consider a DAC).

Here's a good summary of why to use it in many types of projects (although not ones that need a DAC):

  • Pros:
    • Has active passthru to LDAP queries of AD…so it can get a dynamic list of users in a group. Nice integration for enterprise environments.
    • Without COM, a lot faster than AzMan, and a lot less of a headache.
    • NETSqlAzman can be fine grain (eg: can assign Role Accountant to a user, and remove
    • You can use NetSqlAzMan groups, that can dynamically query an LDAP server for users.
      • Cool.
    • Can create BizRules.
      • Wow.

    from the User, one of the Accountant's Operation).

  • Considerations:
    • For general public websites not enamored with their DbUser solution.
      • But can live with it…
    • It's built with older technology (Linq 2 SQL)…
      • I can live with that too, in the hope it gets upgraded one day.
    • Depending on the version you work with, it’s written in .NET 4.0.
    • This is not a DAC based system.
    • No idea how to implement this in a distributed way:

Terminology

  • Store: is just a logical partition.
    • Think of it as a group of Settings appropriate for a whole Business, or other, Big, group.

    That should do it…But I would like to see some speed tests now…

    But AzMan…as was stated on http://bit.ly/e2Ab38:

I am developing an Enterprise RBAC system using Azman with AD store. To overcome the slow performance, I wrote a wrapper class which access directly Azman in AD's OU structure using LDAP query. Another thing to mention is that Azman of Windows Server 2008 version has capability to create data store in SQL2008 database. My biggest complain is that Security Dialog for any resources (folders, disks, etc) does not recognize Azman defined groups or roles as available identity. This makes really difficult to integrate RBAC which encompass ERP and other enterprise roles AND Windows Resource Access Control at the same time unless you write an application which can write on AD directly.
and

We used azman on our project and it sucks. We've had a ton of problems with interoperability, and it didn't work for our developers using Win7 when the .xml file was made on a win2003 machine. We even went as far as reporting a bug to Microsoft. It does a ton of COM BS like randomly not working and saying E_INVALIDARG, whatever that means. This is one of the technologies I want to remove from our project when I get a chance.

Links:

http://bit.ly/iaFbBR

http://bit.ly/fxuF93 (for more indepth coverage…)

http://bit.ly/fFLP8F

http://bit.ly/e2Ab38

http://bit.ly/h7e1ow (<!—on AzMan…but very good for general background…definitely worth a slow read).