“Non Windows users” in AzMan (Authorization Manager)




AzMan background

AzMan (Authorization Manager) is the best Microsoft technology to implement role & permissions based security for your applications.

It exists as part of Windows Server (and Windows “workstation”), since versions Windows Server 2003 and Windows XP. If you want to take a look of its management tool, just run it: “Start azman.msc” (from cmd or search).

In Windows Server 2003 old days, your app users had to be Windows users, which in fact, is the most common way. Even today, with current AzMan version, you normally will use Windows users for your apps. But, sometimes, you need non-Windows users for external apps, or for any reason you want. So, in the first AzMan version, you “could use” custom users, but in a very limited way, based on your custom app-users DB tables or any repository, but then you could not use the AzMan administration MMC snap-in to manage those users within roles, etc., you had to use just the APIs for AzMan administration, then…

In Windows Server 2008 and Windows Vista AzMan version, SQL Server support for Stores and AD LDS, was added (formerly we could store our metadata just on Active Directory, ADAM, or XML files).

For instance, this is the definition string when using SQL Server as your AzMan store:

mssql://Driver={SQL Server};Server={CESARDLSQLSERVER};/AzManDb/AzStore

Here you can see AzMan console, where you can administer your App’s permissions (operations), roles and assignments:


Ok, so far, I’ve told you just a bit of AzMan’s background, but nothing about “Non Windows Users” in AzMan, so there we go!

“Non Windows Users” in AzMan

Since Windows Server 2008 and Windows Vista, and now also in Windows Server 2008 R2 and Windows 7, we have AzMan MMC Snap-in support for our custom app users (DB tables, AD LDS, any LDAP directory, etc.), using a “Custom Object Picker“!!. 🙂

You can check it out here, it was updated in MSDN on March 9, 2009:


Also, within AzMan help, you can read the following:

With Authorization Manager, you can include users or groups from any source that can be defined or referenced by the Authorization Manager application programming interface (API). In order to include users and groups from external sources, you must write or acquire a custom object picker. A custom object picker is a software component that can be installed on your system to allow an Authorization Manager administrator to access data stored in an external application.

For more information, see Authorization Manager Model (http://go.microsoft.com/fwlink/?linkid=64027).

The permissions required to perform this task will vary for each custom object picker.

Choose users or groups with a custom object picker

  1. Install the custom object picker according to the instructions provided with the non-Microsoft software.

  2. The custom object picker will be added to the Assign users and groups from menu choices under the Role Assignments node and to the drop-down list in the Members and Exclusions tab of the properties sheet for basic application groups. Choose the entry installed by the custom object picker installation process.

  3. Select users from the external source, according to the instructions provided with the custom object picker.


So, logically, it is not a ver straight forward capability, as you could have any DB schema (or any kind of repository) for your users, therefore, you must develop your “Custom Object Picker” in order to be able to select/assing your users.

I beleive there is a sample “Custom Object Picker” within Windows SDK. At the moment, the newest SDK is the Windows SDK for Windows 7 and .NET Framework 3.5 SP1 – RC (Published on 5/4/2009):

ISO: http://www.microsoft.com/downloads/details.aspx?FamilyID=6db1f17f-5f1e-4e54-a331-c32285cdde0c

Web setup: http://www.microsoft.com/downloads/details.aspx?FamilyID=f75f2ca8-c1e4-4801-9281-2f5f28f12dbd

I still have to research more on this capability (“Custom Object Picker“), I’ll try to extend this post when I’ll do it. 🙂

RESOURCES (Some useful links about AzMan):




http://forums.asp.net/t/1124227.aspx (Last post, from David Crawford, is quite interesting)

Cesar De la Torre

Principal Program Manager, .NET

Follow Cesar   

No Comments.