ILOG Rules for .NET User Guides > Using ILOG Rule Execution Server for .NET > Securing Rule Execution Server > Managing Users

Managing Users

PREVIOUS NEXT

Rule Execution Server users are managed by assigning them to roles that determine security privileges. Role-based security allows system administrators to assign access permissions to users based on their job function rather than on their user identities. This type of security is easier to identify and maintain than user-based security.

Rule Execution Server provides two roles:

To set up user access you need to carry out the following tasks, in the order specified:

  1. Set the ILOG.Rules.ExecutionServer.Management.Role property in the Management Service.
  2. Install Microsoft's Authorization Manager Store (AzMan). AzMan is a general-purpose role-based security architecture for Windows.
  3. Create your own authorization store (optional).
  4. Assign users to a role.

Step 1: Set the Role Property

To be able to set up users you need to configure the Management Service configuration property: ILOG.Rules.ExecutionServer.Management.Role.

To set the role property
  1. On the Start menu, click All Programs > ILOG > ILOG Rule Execution Server for .NET > Configuration > Management Service Configuration.
  2. In the left pane of the Enterprise Library Configuration Tool, select Application Settings > ILOG.Rules.ExecutionServer.Management.Role.
  3. In the Value field, enter the value: enabled.
    4. You can set this field to enabled or disabled. These entries are not case-sensitive.
  4. Save the setting.
  5. Restart the Management Service for the change to take effect.

Step 2: Install the Authorization Manager Store

The Microsoft Authorization Manager (AzMan) is supported on Windows Server 2003, Service Pack 1 (SP1) or later, and Windows XP Professional.

AzMan comes as part of the default installation for Windows Server 2003, but if you do need to install it for any reason, you can download Windows Server 2003, SP1 from: http://windowsupdate.microsoft.com.

To install AzMan on Windows XP Professional
  1. Install the Windows Server 2003 Administration Tools Pack (adminpak.msi).
    2. The Administration Tools Pack provides server management tools that allow administrators to remotely manage Windows 2000 Servers and Windows Server 2003 family servers. You can download it from: http://www.microsoft.com/downloads/details.aspx?FamilyID=e487f885-f0c7-436a-a392-25793a25bad7&DisplayLang=en.
  2. If you are running Windows XP SP2 or later, you must also install SP1 or later of the Windows Server 2003 Administration Tools Pack.
    3. The Administration Tools Pack includes AzMan. However, it does not include the AzMan primary interop assembly. You need to install this separately.
  3. To install the AzMan primary interop assembly:
    1. Download the Windows 2000 Authorization Manager Runtime from: http://www.microsoft.com/downloads/details.aspx?FamilyID=7edde11f-bcea-4773-a292-84525f23baf7&DisplayLang=en.
    2. Run the installer to extract the component files, which include the primary interop assembly.
      3. When you run the installer for the Windows 2000 Authorization Manager Runtime, it creates two subdirectories. One contains the setup file for the Authorization Manager and the second, named \pia, contains the primary interop assembly.
  4. Add the Authorization Manager user roles DLL to the Global Assembly Cache (GAC):
    1. From the Windows Control Panel, run the Microsoft .NET Framework Configuration Tool.
    2. Open the Manage Assembly Cache option and select Add an Assembly.
    3. Navigate to the Authorization Manager Runtime Installation Directory\pia\1.0 folder and add the Microsoft.Interop.Security.AzRoles.dll assembly to the cache.
      Note
      1. The \pia folder contains the primary interop assembly for version 1.0 of AzMan. The \pia\1.2 folder contains the primary interop assembly for version 1.2 of AzMan. The version 1.2 AzMan COM object exposes additional interfaces that may be of interest to advanced AzMan users, but it does not offer additional functionality of the ASP.NET Roles Management API.
      2. ILOG does not support the AzMan LDAP or Active Directory options.

Step 3: Create an Authorization Store (optional)

Rule Execution Server is delivered with an XML authorization store, which stores properties of the Rule Execution Server user roles. This file is located in <InstallDir>\Bin\Public Assemblies\AuthorizationStore.xml. You can either use this authorization store, or create another one by modifying the Management Service configuration file.

To create your own authorization store
  1. On the Start menu, click All Programs > ILOG > ILOG Rule Execution Server for .NET > Configuration > Management Service Configuration.
  2. In the left pane of the Enterprise Library Configuration Tool, select Data Access Application Block > Connection Strings > Authorization Services.
    3. images/authorization_store.png
  3. In the ConnectionString field, replace the existing entry with the required authorization store name.
    4. If you are using an authorization store that is stored in Active Directory, use the LDAP name. For example: CN=myStore,CN=Program Data,DN=nwtraders,DN=com.
    If you are using an XML-based authorization store, use a path and file name that is valid at runtime. For example: C:\AuthStores\MyStore.xml.
  4. Save the setting.
  5. Declare the following roles in the Authorization Store:
    6. - ExecutionServerUser
    - ExecutionServerAdmin
  6. Restart the Management Service for the change to take effect.

Please refer to the Microsoft documentation for more information about the Authorization Store.

Step 4: Assign Users to a Role

Having set up the user roles, installed Authorization Manager and, if required, created your own authorization store, you can now assign users to the relevant role.

To assign users to a role
  1. Open the Windows command prompt and type azman.msc to open the Authorization Manager MMC snap-in.
  2. Right-click the Authorization Manager Node and select Open Authorization Store.
  3. Browse to where your authorization store is held.
    4. The XML authorization store delivered with Rule Execution Server is located in: <InstallDir>\Bin\Public Assemblies\AuthorizatinStore.xml.
  4. Click Node Role Provider, then Role Assignments.
  5. Right-click one of the two roles: ExecutionServerAdmin or ExecutionServerUser, and select Assign Windows Users and Groups.
  6. Type the Windows user ID of the user you want to assign.
  7. Click Check Names, then click OK.
    8. The user is assigned to the required Management Service user role.

The following table summarizes the operations that each role can perform:

Operation 
Role 
Create persistence schema 
Execution Server Admin 
Delete persistence chessman 
Execution Server Admin 
Create Rulesets 
Execution Server Admin 
Delete Rulesets 
Execution Server Admin 
Update ruleset properties 
Execution Server Admin 
View rulesets 
Execution Server Admin/Execution Server User 
Create RuleApp 
Execution Server Admin 
Deploy RuleApps 
Execution Server Admin 
Remove RuleApps 
Execution Server Admin 
Fetch RuleApps 
Execution Server Admin/Execution Server User 
View RuleApps 
Execution Server Admin/Execution Server User 
Backup Rule Execution Server 
Execution Server Admin 
Restore Rule Execution Server 
Execution Server Admin 

See Also

Encrypting Data | Management Service Security | Execution Service Security | Logging and Tracing |

Copyright © 1987-2008 ILOG S.A. All rights reserved. Legal terms. Documentation homepage. PREVIOUS NEXT