Migrating from Microsoft’s Authorization Manager (AzMan) to NetSqlAzMan is a common transition for legacy .NET applications. AzMan is deprecated and relies on outdated MMC snap-ins, whereas NetSqlAzMan offers a modern, SQL Server-backed alternative with active community roots and better performance for .NET environments. Here is a comprehensive guide to executing this migration. Migrating from Authorization Manager (AzMan) to NetSqlAzMan Why Migrate?
Microsoft deprecated Authorization Manager (AzMan) starting with Windows Server 2012 R2. Continued reliance on AzMan introduces risks, including compatibility issues with modern Windows Server environments, lack of native support in .NET Core/.NET 5+, and reliance on an obsolete Management Console (MMC) interface. NetSqlAzMan serves as an excellent replacement because it: Stores all authorization rules directly in SQL Server.
Eliminates the need for Active Directory or XML-based AzMan stores. Provides a native .NET API for seamless integration.
Supports runtime evaluation of complex, custom business rules. Step 1: Analyze the Existing AzMan Architecture
Before moving data, you must map how your current application uses AzMan.
Identify the Store Type: Determine if your AzMan store is XML-based, Active Directory-integrated (AD), or stored in Active Directory Application Mode (ADAM/AD LDS).
Document the Hierarchy: Export the structure of your Operations, Tasks, Roles, and Role Assignments.
Isolate Business Rules (BizRules): Identify tasks that use script-based BizRules (VBScript or JScript), as these cannot be directly executed by NetSqlAzMan and will require refactoring. Step 2: Set Up NetSqlAzMan
Database Creation: Run the NetSqlAzMan database creation scripts on your target SQL Server instance to generate the necessary tables, views, and stored procedures.
Install Management Console: Install the NetSqlAzMan Management Console to visually administer your new authorization store.
Define the Hierarchy: Create a new Storage, Application, and Item structure matching your original AzMan configuration. Step 3: Data Migration Strategies
Option A: Automated Scripting (Recommended for Large Stores)
You can write a temporary .NET console application to read from the AzMan COM interface and write to NetSqlAzMan via its .NET API.
// Conceptual migration snippet AzAuthorizationStoreClass azStore = new AzAuthorizationStoreClass(); azStore.Initialize(0, @“msxml://C:\AzManStore.xml”, null); IAzApplication azApp = azStore.OpenApplication(“YourApp”, null); var dbStore = new SqlAzManStorage(“YourConnectionString”); foreach (IAzTask azTask in azApp.Tasks) { // Map AzMan Tasks to NetSqlAzMan Items dbStore.CreateItem(azApp.Name, azTask.Name, ItemType.Task, azTask.Description); } Use code with caution. Option B: Manual Reconstruction (Best for Small Stores)
If your authorization store contains fewer than 50 roles and operations, manually recreating them using the NetSqlAzMan Management Console minimizes scripting overhead and allows you to clean up legacy, unused roles. Step 4: Refactoring AzMan BizRules
AzMan allowed VBScript/JScript for dynamic runtime checks. NetSqlAzMan handles dynamic checks differently:
Extension Attributes: Use custom attributes on items or users to filter permissions.
Application-Level Logic: Move complex conditional checks (e.g., “Allow only if the document balance is under $5,000”) out of the authorization store and into your .NET application code or custom .NET assemblies executed by NetSqlAzMan. Step 5: Update the Application Code
Replace the legacy AzMan COM interop calls with the lightweight NetSqlAzMan client library. Legacy AzMan Code:
IAzClientContext context = azApp.InitializeClientContextFromToken(token); object[] operations = { OPERATION_ID }; object[] results = (object[])context.AccessCheck(“Audit”, scopes, operations, null, null, null, null, null); bool isAuthorized = ((int)results[0] == 0); Use code with caution. New NetSqlAzMan Code:
IAzManStorage storage = new SqlAzManStorage(“YourConnectionString”); bool isAuthorized = storage.CheckAccess(“YourApplication”, “OperationName”, userToken) == AuthorizationType.Allow; Use code with caution. Step 6: Testing and Deployment
Parallel Execution: Run both authorization providers simultaneously in a staging environment. Log differences in access check results to identify missing role mappings.
Performance Benchmarking: Validate that the SQL-backed NetSqlAzMan store handles concurrent authorization requests without causing database bottlenecks.
Production Cutover: Update the application configuration connection strings to fully point to the NetSqlAzMan database and decommission the old AzMan XML files or Active Directory schemas.
To tailor this migration guide to your specific project, tell me:
What type of store does your current AzMan implementation use (XML, AD, or SQL)?
Does your application rely heavily on script-based BizRules?
Leave a Reply