Authorization

In Microsoft Provisioning Framework (MPF), authorization verifies that the caller for a provisioning request is allowed to execute the actions in the request. Authorization occurs at three points in the processing cycle: when requests are submitted from the client to the provisioning engine or queue manager, during calls from the provisioning engine to namespaces and procedures, and during calls from MPF to providers of external services.

Authorization During Request Submittal

Microsoft Provisioning Framework (MPF) recognizes two types of provisioning requests:

Each kind of request has a corresponding application programming interface (API) method that submits it to a provisioning engine or queue manager, depending on whether the request is to be executed immediately or later.

MPF provides two APIs that submit requests to the framework: IProvEngine and IProvQueue. IProvEngine is used for new requests and IProvQueue is used for queued requests. The methods for untrusted and trusted requests are listed in the following tables.

Table: Untrusted Requests

Submitted to API/Method
Provisioning engines IProvEngine::SubmitRequest
Queue managers IProvQueue::SubmitRequest

Table: Trusted Requests

Submitted to API/Method
Provisioning engines IProvEngine::SubmitTrustedRequest, Web service
Queue managers IProvQueue::SubmitTrustedRequest

A caller's authority to execute these APIs is managed with Provisioning Manager, using the Requests Security property of both provisioning engines and queue managers.

After receiving requests, MPF clients do not directly perform authorization on callers, but they do build the COM security context and pass it to the provisioning engine. The two client properties MPF uses to do this, Capabilities and Impersonation level, are configured in Provisioning Manager.

Authorization During Calls to Namespaces and Procedures

In Microsoft Provisioning Framework (MPF), authorization to call a namespace can be restricted to trustees that are members of a discretionary access control list (DACL). By configuring the Security property of a namespace, you can implement DACLs globally for all procedures in that namespace. You can also configure DACLs separately for individual procedures by configuring the Security property of each procedure.

At the procedure level, authorization is also governed by two other factors:

Authorization During Calls to External Services

In Microsoft Provisioning Framework (MPF), requests that call external services such as Active Directory pass their security context to providers. Once the service receives the MPF security context, it can perform its own authorization.

To pass security context to a provider, the trusted attribute in the request's execute or queue node must be set to 1. The provider can then use this information to modify the security context of the call to the external service. For example, the HTTP and SOAP Provider does this when initiating an HTTP request with basic authentication. If the request's execute or queue node sets the impersonate attribute to 1, what happens next depends on whether the request's securityContext node contains basic or Kerberos authentication credentials:

If security checking will take place at another level (for example during calls to namespaces), it might be preferable to configure MPFServiceAcct with all rights and simply pass that context instead of implementing Kerberos delegation.