I've created a web application that uses Microsoft AzMan, and it works just fine until you have multiple users. I'm almost 100% certain that AzMan is caching the same stuff for multiple users.
To simplify it a bit, the problem I'm seeing is user A goes to the site and has full access, the user is granted the correct access and can work just fine. Then user B goes to the site, only has view access, but because AzMan has already seen user A's full access, it grants full access to user B as well.
I'm using the AddStringSids method when creating the client context because it's the only method that would work for every situation. Is there a problem with this? We used to not have this problem when we were creating client contexts from a token.
The following is the exact code I'm using to create the context. app is an IAzApplication2 variable, and ClientContext.SID is a SecurityIdentifier for the user in question.
IAzClientContext2 cctx = app.InitializeClientContext2("AppNameHere", null);
cctx.AddStringSids(new object[] { (object)ClientContext.SID.ToString() } as object);
EDIT: I am not using the ASP.Net role provider at all since that would require the application to be aware of roles. I'm only using the COM API.
EDIT 2: Also, if user B logged in first, then user A does not have access when he logs in. So it isn't just keeping the highest level of access.