Partilhar via


Scopes in Authorization Manager

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Scopes in Authorization Manager

A scope is a subdivision within an application that separates resources from other resources that are used by that application. You do not have to use scopes. A scope can be a folder, an Active Directory container, a file-masked collection of files (for example, *.doc), a URL, or any item that can be accessed by the application and its underlying authorization store. You can use scopes to prevent unintended resource sharing and to support auditing and delegation.

If you have Authorization Manager groups, role assignments, role definitions, or task definitions that you do not want to apply to an entire application, you can create them at the scope level. The application that contains the scope must be able to recognize the scope name. For example, file-based applications might have scope names that include file names or paths. Web-based applications might have URL-based scope names. Registry applications might have scope names based on registry hives, and Active Directory scope names could specify organizational units. You cannot define operations at the scope level.

Auditing scopes

You cannot perform Authorization Manager runtime auditing on scopes. You can perform Authorization Manager authorization store change auditing on scopes contained in authorization stores that are stored in Active Directory. For more information about auditing, see Authorization Manager auditing.

Delegating scopes

Scopes within authorization stores that are stored in Active Directory support delegation. For more information about delegating a scope, see Delegate a scope.

XML-based authorization stores do not support delegated administration. If a scope within an authorization store that is stored in Active Directory contains task definitions that include authorization rules, or role definitions that include authorization rules, you cannot delegate the scope.