How can I programmatically asign a role to a scope in Microsoft AzMan?

Question

I'm using AzMan on Windows Server 2003, and I've written a management application that completely hides AzMan and the MMC from the security team. However, I'm having a hard time implementing one of the features in the MMC.

I have a role called User, and a role called Branch User which contains nothing but the User role. I want to assign the User role at the all data (Role Assignments) level, and the Branch User role at the scope level. However, I can't find a way to programmatically assign the Branch User role to a scope without it losing its definition. I can assign the role (by calling CreateRole on the scope) but it seems to just create a new blank role. When I right click it in the MMC, click on properties, and then Show Definition, it doesn't have anything.

Also, if I try to then call AddTask on that IAzRole object to add "User" to it, it doesn't quite work as expected. It will add all the tasks in the User role to my Branch User role, but not the role itself.

Is there a way to do this? I can't figure it out.

Answer 1

Yes, on WIN2k3 that is the correct way. Unfortunately in AzMan versions before Vista/Win2k8, a role definition is a Task with the task.IsRoleDefinition set to 1. It has it's own well named class in newer versions.

Basically CreateRole() is creating a Role Assignment, not a Role Definition (This doesn't neccessarily need to have the name "Branch User", it could be anything). A Role Assignment contains the links between definitions of roles/tasks/operations and members/users.

You are then adding the Role "Branch User" to the Role Assignment using app.AddTask().

To do this only for a particular Scope you need to call app.OpenScope (or app.CreateScope, if new) which returns an IAzScope object. You can then do all the above on scope.CreateTask or scope.CreateRole.

Hope this helps..