AzMan (Windows Authorization Manager) is a role-based access control (RBAC) framework that provides an administrative tool to manage authorization policy and a runtime that allows applications to perform access checks against that policy.
The AzMan administration tool (AzMan.msc) is supplied as a Microsoft Management Console (MMC) snap-in. Role-based authorization policy specifies access in terms of user roles that reflect an application's authorization requirements. Users are assigned to roles based on their job functions and these roles are granted permissions to perform related tasks.
Authorization policy is managed separately from an application’s code. The application designer defines the set of low-level operations that are considered security sensitive and then defines a set of tasks that map onto those operations. The tasks, but not the operations, are designed to be understandable by administrators and business analysts.
Administrators use the AzMan snap-in to manage which roles should have access to which tasks. As the business evolves and roles need to be modified, the administrator makes changes to the authorization policy; the underlying business application does not need to be changed. Federation-aware applications employ AzMan for access control decisions by mapping federation claims to AzMan roles.
