Configuring Role-based Authorization

This topic demonstrates how to configure the role-based authorization policy for the sample implementation of the CustomAuthorization interface described in Implementing Custom Authorization for a Management OData web service.

In this example, you will configure an XML file that is used by the sample Management OData application to define the authorization policy. You will create two roles and associate different Windows PowerShell modules that contain workflows with those roles. The schema that defines the XML file is listed at Role-Based Authorization Configuration Schema.

This file defines the authorization policy for the application. Roles are defined by using Group nodes. A Group node defines the Windows PowerShell commands that users assigned to that group can run. Users are assigned to groups by using User nodes.

In these examples, you will add a module to the Administrator Group node, and add a user to each group.

Adding a Module to a Group Node

  1. Create a file named RBacConfiguration.xml in a text editor. This file should be saved to the main application directory for your web service. Insert the following text in the file.

    <?xml version="1.0" encoding="utf-8"?>
    <RbacConfiguration>
      <Groups>
        <!--Group consists of the following: 
          Name:  Name of the group
          UserName (Optional): Windows Identity user name
          Password (Optional): Password of the Windows user name
          DomainName (Optional): Domain for the user. For local machine account either do not include them or give the machine name. Do not give empty string
          MapIncomingUser (Optional): Boolean value indicating whether to execute cmdlet in the context of network client.
    
          User credentials and MapIncomingUser=true are exclusive.
        -->
        <Group Name="NonAdminGroup" MapIncomingUser="true">
          <Cmdlets>
            <Cmdlet>Get-Service</Cmdlet>
            <Cmdlet>Set-Service</Cmdlet>
            <Cmdlet>Get-Process</Cmdlet>
            <Cmdlet>Get-Item</Cmdlet>
            <Cmdlet>New-Item</Cmdlet>
            <Cmdlet>Get-Command</Cmdlet>
            <Cmdlet>ConvertTo-Xml</Cmdlet>
            <Cmdlet>ConvertTo-Json</Cmdlet>
            <Cmdlet>ConvertFrom-Json</Cmdlet>
          </Cmdlets>
        </Group>
        <Group Name="AdminGroup" MapIncomingUser="true">
          <Cmdlets>
            <Cmdlet>Get-Service</Cmdlet>
            <Cmdlet>Get-Process</Cmdlet>
            <Cmdlet>Get-Item</Cmdlet>
            <Cmdlet>New-Item</Cmdlet>
            <Cmdlet>Get-Command</Cmdlet>
            <Cmdlet>ConvertTo-Xml</Cmdlet>
            <Cmdlet>ConvertTo-Json</Cmdlet>
            <Cmdlet>ConvertFrom-Json</Cmdlet>
          </Cmdlets>
          <Modules>
            <Module>C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ServerManager\ServerManager.psd1</Module>
          </Modules>
        </Group>
      </Groups>
      <Users>
        <!-- User consists of the following : 
          Name: Name of the user. If a user is from a cer
          AuthenticationType: Authentication type used.
          DomainName (Optional): Domain for the user
        -->
        <User Name="localNonAdmin" AuthenticationType="Basic" GroupName="NonAdminGroup" />
        <User Name="localAdmin" AuthenticationType="Basic" GroupName="AdminGroup" />
      </Users>
    </RbacConfiguration>
    
    
  2. The file contains two Group nodes. These represent the two roles used in this example, the NonAdminGroup and the AdminGroup roles.

    Directly after the closing Cmdlets tag in the first Group node, add the following XML:

    <Modules>
            <Module>C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ServerManager\ServerManager.psd1</Module>
          </Modules>
    

Adding a User to a Group Node

  1. Open the RBacConfiguration.xml file in a text editor. This file is located in the folder C:\\inetpub\wwwroot\Modata if you did not change the endpoint name before installation.

  2. Directly after the closing tag in the Users node, add the following XML:

    <User Name="UserName" GroupName="AdminGroup" AuthenticationType="Basic" DomainName="DomainName"/>
    
  3. Directly after the XML added in the previous step, add the following XML:

    <User Name="UserName" GroupName="NonAdminGroup" AuthenticationType="Basic" DomainName="DomainName"/>
    



Show:
© 2014 Microsoft