I'm developing a new .Net 2.0 app for one of my corporate clients.  What
I've done for them in the past is provide role-based security in their VB6
apps.  I'm considering having task-level security in the new apps, now
that they are on Active Directory, and possibly using Authorization Manager.
It's been about two years since I read about AzMan, and I'm wondering if this
is still the best approach for managing user permissions in a C# app at
task-level granularity.

They'd probably get by just fine with role-based, as we used in VB6, with
user role membership stored in the app's database and checked by the app
on startup.  If AzMan doesn't cost too much in overhead, it might be a more
elegant solution.

I originally posted this in
microsoft.public.windows.server.active_directory, and got a thoughtful
response from Joe Kaplan, which I reprinted below.  I am curious of what
participants in this ng think of AzMan vs other solutions.

______________________________
Reply by Joe Kaplan

This probably isn't the right newsgroup for this, as this group tends to be
more "infrastructure" focused.  I'd suggest starting your thread on
microsoft.public.dotnet.security and/or
microsoft.public.platformsdk.security.

That said, AzMan is a very good framework for using role-based security in
..NET applications and gives you a lot of power and flexibility.  It has a
curve associated with it in terms of getting all of the configuration stuff
working, but it is one of the best ways available to apply very granular
operation-level security.

..NET also has some higher levels ways of doing this stuff that have less
power but a lower cost of admission.  The standard .NET IPrincipal interface
has an IsInRole method that can be used for simple role checks.  You can
easily roll your own IPrincipal and create the role memberships from a
variety of stores or you can use one of the built in ones.  For example, the
WindowsPrincipal implementation gives you a Boolean response to IsInRole
based on the Windows user's security group membership.  This can be very
helpful in some situations, as your permissions can be delegated directly
from AD.  Sometimes you want to have an intermediary layer that translates
in between AD groups and app-specific roles though.  In that case. AzMan may
be the way to go (it does that) or some other framework you implement
yourself.

Role-based security in apps is a complex area and you have a ton of options.
It isn't always easy to pick the model that gives you the best
flexibility/complexity ratio.  I do recommend you use the built in stuff as
much as possible though, as .NET does contain a bunch of stuff that tries to
get you part of the way there.  This is much better than we had in VB6.

Best of luck!

Joe K.