|
|
|
|
MPS provides a flexible model for namespace developers to dictate which security principal an action will be performed under. It is important when designing components for MPS to take this model into account and use it to define the most secure service possible. While elevation of privilages is sometimes required to perform complex provisioning tasks in a shared environment, its should be used rarely.
The following table summarizes the logic flow of security processing for provisioning requests in Microsoft Provisioning Framework (MPF).
Table: Example Procedure and Truth Table
| Value of @impersonate | Basic Authentication Credential securityContext | "Execute as" User on Procedure 2 | Value of @Impersonate | Resulting User Context |
|---|---|---|---|---|
| 0 | Irrelevant (not used even if specified) | Irrelevant (not used even if specified) | 0 | MPFServiceAcct |
| 1 | Basic authentication user | NULL | 0 | Basic authentication credentials |
| 1 | NULL | NULL | 0 | Calling user |
| 2 | Irrelevant (not used even if specified) | Not used | 0 | MPFServiceAcct |
| Not specified | Basic authentication user | NULL | 1 | Basic authentication Credentials |
| Not specified | NULL | NULL | 1 | Calling user |
| Not specified | Irrelevant (not used even if specified) | Irrelevant (not used even if specified) | 2 | MPFServiceAcct |
| 1 | Irrelevant (not used even if specified) | "Execute as" user | 0 | "Execute as" user |
| Not specified | Irrelevant (not used even if specified) | "Execute as" user | 1 | "Execute as" user |
The Result column of the preceding table lists the account under which MPF would run Procedure3 in the following example, given various combinations of @impersonate, "execute as" credentials, and a basic authentication credential in the request passed to procedure 1.
<namespace name="namespace1">
<procedure name="Procedure1">
<execute procedure="Procedure2" namespace="Namespace1" impersonate="0" /><!-column 1-->
</procedure>
<procedure name="Procedure2" >
<execute procedure="Procedure3" namespace="Namespace2" impersonate="0"><!-column 2-->
</procedure>
</namespace>
For more information on how security is implemented in MPF, see the other security topics covered in Security in Microsoft Provisioning Framework.