Entering Configuration Information

Microsoft Enterprise Library 5.0

DropDown image DropDownHover image Collapse image Expand image CollapseAll image ExpandAll image Copy image CopyHover image

These procedures explain how to configure the Security Application Block. For details of the schema for the Security Application Block configuration, see Source Schema for the Security Application Block. You can also configure the block in code by using an alternate configuration source. For more information, see Advanced Configuration Scenarios and Using the Fluent Configuration API.

To add the Security Application Block

  1. Open the configuration file. For more information, see Configuring Enterprise Library .
  2. Click Add Security Settings on the Blocks menu.
  3. The configuration tool automatically adds the Security Settings section with default settings. Click the chevron arrow at the right of the section heading to view Security Settings properties.
  4. Click the Authorization Providers plus sign icon, point to Add Authorization Providers, then click the type of authorization rule provider you require and configure the provider as shown in the following procedures.
    Note:
    The Windows Authentication Manager (AzMan) provider is available only if you have installed the required prerequisites, including the assembly Microsoft.Interop.Security.AzRoles.dll, and compiled the Security Application Block to include this provider. For more information, see About the AzMan Provider later in this topic.

  5. (Optional) Click the Security Caches plus sign icon, point to Add Security Caches, then click the type of security cache provider you require and configure the provider as shown in the following procedures.
  6. (Optional) In the properties pane of the Security Settings section, set the Protection Provider property. The text box drop-down provides three choices (no protection),RsaProtectedConfigurationProvider, and DataProtectionConfigurationProvider. The default is no protection. See Encrypting Configuration Data for information about the restrictions on using the RsaProtectedConfigurationProvider.
  7. (Optional) In the properties pane, set the Require Permission property to True or False. The default is True.
  8. (Optional) In the properties pane, set the Default Authorization Provider property. This is the authorization provider instance to use if one is not specified in the code. The default is none.
  9. (Optional) In the properties pane, set the Default Security Cache Provider property. This is the security cache provider instance to use if one is not specified in the code. The default is none.

After you add the Security Application Block to the application configuration, you need to configure some or all of the following elements:

Authorization Rule Provider

The following procedure shows how to configure the Authorization Rule Provider.

To configure the Authorization Rule Provider

  1. Follow the steps in the earlier procedure (entitled "To add the Security Application Block") to add an authorization provider, and select Add Authorization Rule Provider.
  2. (Optional) In the properties pane, change the Name of the provider. The default name is Authorization Rule Provider.
  3. To add a rule, right-click the heading section of the authorization provider and click Add Authorization Rule. An Authorization Rule item is added to the Authorization Rules column.
  4. (Optional) In the properties pane of the new authorization rule item, change the name of the rule.
  5. In the properties pane, click the Rule Expression property ellipsis button () and use the Rule Expression Editor to enter the authorization rule. The following section describes the way you use this editor to configure rules.

Configuring Authorization Rules

When you use the Authorization Rule Provider, you must configure the authorization rule(s). An authorization rule specifies the circumstances under which a user is authorized to perform some task. The expression must be a string with a Boolean predicate. The configuration tools include a Rule Expression Editor you can use to create the rule. With the editor, you can enter identities, roles, and Boolean operators.

Valid identities are the following:

  • Specific (for example, "Bob")
  • Anonymous (symbolized as "?")
  • Any (symbolized as "*")

Valid roles are the following:

  • Specific (for example, "Managers")
  • Any (symbolized as "*")

Valid operators are the following:

  • AND
  • OR
  • NOT
  • (
  • )

These identities, roles, and operators are combined in rules, which can be simple or complex. Examples of rules include the following:

  • I: Bob. This rule indicates that only a user with the identity Bob is authorized.
  • ((R:HumanResources OR R:GeneralManagers) AND (NOT R:HRSpecialist)). This rule indicates that only users that are in either the HumanResources or GeneralManagers roles and are not in the HRSpecialist role are authorized.

The Rule Expression Editor also includes a feature to test whether users with particular roles or identities are authorized using the rule you have specified. This can be useful to help confirm that you have phrased the rule correctly. To use this feature, enter the role and/or identity you want to test against the rule, and then click the Test button. The Expression Editor will display Authorized, Not Authorized, or an error message that indicates that the rule is not correctly defined.

AzMan Provider

The next procedure describes how to configure the AzMan Provider.

To configure an AzMan Provider

  1. Follow the steps in the earlier procedure (entitled "To add the Security Application Block") to add an authorization provider, and select Add AzMan Authorization Provider.
  2. (Optional) Edit the Name for the provider. The default is AzMan Authorization Provider.
  3. (Optional) In the properties pane, enter the Application name. This is the name of the application as configured in the AzMan rules store.
  4. (Optional) Enter the Application Scope. Using scopes, you can have different authorization settings for different parts of your application.
  5. Enter the Audit Identifier Prefix. The format of an audit identifier is prefixusername:operation.
  6. Enter the Store Location. This is the location of the authorization store. It can be either an XML file or a part of Active Directory. The default location for an XML file is msxml://c:/myAuthStore.xml. The default for Active Directory is msldap://myserver/CN=MyStore,OU=AzMan,DC=MyDomain,DC=Com.
    Note:
    The database connection string used to connect to the AzMan store is stored in clear text by default. To provide security you must encrypt the connection string used to connect to a database for an AzMan provider when a database store is used.

About the AzMan Provider

Windows Authorization Manager (AzMan) allows you to define an application, the roles for that application, and the operations (such as "Submit Order" or "Approve Expenses") that the application exposes. For each operation you can define users and groups that can execute that operation. You can include local and domain user accounts and account groups stored in Active Directory. You can store your authorization rules in Active Directory, in an XML file, or in a database.

If you want to use the AzMan provider in your application, you can modify the Enterprise Library solution file to include the AzMan provider projects and recompile the entire library, or you can compile the Security Application Block using the solution file in the Security subfolder of the source files (which already includes the AzMan provider projects) and then run the CopyAssemblies.bat script to copy the assembly Microsoft.Practices.EnterpriseLibrary.Security.AzMan.dll to the appropriate location so that it is available in the configuration tools. You must also reference this assembly in your application projects.

For more information about using Windows Authorization Manager, see the following resources:


Note:
The AzMan provider is part of the operating system in Windows XP Professional and Windows Server 2003 and later. The administration GUI for AzMan is part of the operating system in Windows Vista® and Windows Server® 2003 and later. In Windows Vista and Windows Server 2008, AzMan provides additional capabilities.

You can download the AzMan GUI and install it in Windows XP Professional if you want to use this operating system to develop applications that use the AzMan provider with the Security Application Block. The GUI is part of the Windows Server 2003 Service Administration Tools Pack. If you are still running Windows 2000, you must install the Windows 2000 Authorization Manager Runtime. You cannot install the AzMan GUI in Windows 2000. Instead, you must use a networked machine running Windows XP or later to create and administer rules, or use the AzMan provider API through the command line or via scripting.

Custom Authorization Provider

The next procedure describes how to configure the Custom Authorization Provider.

To configure a Custom Authorization Provider

  1. Follow the steps in the earlier procedure ("To add the Security Application Block") to add an authorization provider, and select Add Custom Authorization Provider. Navigate to your custom provider assembly in the type selector dialog, and click OK.
  2. (Optional) Edit the Name property of the custom authorization provider. The default name is Custom Authorization Provider.
  3. In the Attributes row of the properties pane for the custom provider, add the Key and Value entries that define the properties you want to pass to the provider. As you type in the text boxes, the configuration tool adds a new empty row. Click the delete (cross) icon next to a row to remove it.

Security Cache

You can use a security cache to store security-related information. The following procedure describes how to configure the security cache.

To configure a security cache

  1. Follow the steps in the earlier procedure ("To add the Security Application Block") to add a security cache provider, and select Add Security Cache.
  2. The Security Cache uses the Caching Application Block as the cache for credentials. The Caching Application Block is added to the configuration automatically with the default settings. For more information about configuring the Caching Application Block, see Entering Configuration Information in the Caching Application Block documentation.
  3. (Optional) In the properties pane of the security cache, edit the Name property. This is the name of the cache provider. The default is Security Cache.
  4. In the properties pane of the security cache, set the Absolute Expiration property. This is the amount of time it takes for an item that is added to the cache to expire. The unit of time is minutes. The default is 60.
  5. In the properties pane of the security cache, set the Cache Manager property. This is the name of the cache manager to use, as defined in the Caching Application Block configuration. The default is Cache Manager. If you define a different cache manager in the Caching Application Block configuration, select it from the drop-down list.
  6. In the properties pane of the security cache, set the Sliding Expiration Time property. This is the interval between the time an item in the cache was last accessed and when it expires. The unit of time is minutes. The default is 10.

Custom Security Cache Provider

The next procedure describes how to configure the Custom Security Cache Provider.

To configure the Custom Security Cache Provider

  1. Follow the steps in the earlier procedure ("To add the Security Application Block") to add a security cache provider, and select Add Custom Security Cache Provider. Navigate to your custom provider assembly in the type selector dialog, and click OK.
  2. (Optional) Change the Name property. The default name is Custom Cache Provider.
  3. In the Attributes row of the properties pane for the custom provider, add the Key and Value entries that define the properties you want to pass to the provider. As you type in the text boxes, the configuration tool adds a new empty row. Click the delete (cross) icon next to a row to remove it.