Policy Stores, Applications, and Scopes

Authorization policy stores, applications, and scopes represent different levels of organization of Authorization Manager policy. A policy store can contain one or more applications, and an application can contain one or more scopes.

Authorization Policy Stores

In the Authorization Manager API, an authorization policy store is represented by an IAzAuthorizationStore object. The authorization policy store contains definitions and assignments of applications, scopes, operations, tasks, roles, and user groups.

An authorization policy store can be stored either as an XML file or in Active Directory.

An application must initialize an authorization policy store before changing information in the store or using the store policy to check client access to resources.

An authorization policy store can contain one or more IAzApplication objects that each represent authorization policy for a specific application.


In the Authorization Manager API, an application is represented by an IAzApplication object. An authorization policy store can contain authorization policy information for many applications. Using IAzApplication objects allows you to store different authorization policy for different applications in a single policy store.

An authorization policy store must contain at least one application.


In the Authorization Manager API, a scope is represented by an IAzScope object. Scopes provide an additional, optional level of organization for an authorization policy. An application can contain one or more scopes, but need not contain any (Authorization Manager provides a default, application-wide scope).

A scope is a subdivision within an application that separates resources from other resources that are used by that application. If you have Authorization Manager groups, role assignments, role definitions, or task definitions that you do not want to apply to an entire application, you can create them at the scope level.


Authorization policy stores that are stored in Active Directory support delegation of administration. Administration can be delegated to users and groups at the store, application, or scope level. Each level defines administrative roles for the policy at that level. To delegate control to a user or group, assign them to the administrator role; to allow a user or group to read the policy, assign them to the reader role.

Administrators of a store, application, or scope can read and modify the policy store at the delegated level. Readers can read the policy store at the delegated level but cannot modify the store.

Related topics

Creating an Authorization Policy Store Object in C++
Creating an Application Object in C++
Delegating the Defining of Permissions in C++