Access Control Basics

As Microsoft® Provisioning Framework (MPF) processes a provisioning request, it performs the following security checks.

Authentication is the process of assigning an identity to each procedure step in the request. MPF derives this identity from the step's . Basic authentication and Kerberos delegation are two authentication models supported by MPF. To simplify administration, users can be assigned to MPF accounts and groups.
Authorization is the process of verifying that an identity is allowed to call the procedure or access the resource named in the procedure step When a client receives a request, it builds the COM security context for the request and passes it to the provisioning server. When converting SOAP requests into MPF requests, SOAP ISAPI verifies that the caller is allowed to submit SOAP requests. For more information, see . Provisioning servers perform authorization during request submission and during calls to namespaces, procedures, and external services such as Microsoft® Active Directory®. For more information, see Authorization During Calls to Namespaces and Procedures and Authorization During Calls to External Services.
Access to such as the MPF databases and the Windows® is controlled by membership in MPF groups.

For access control, MPF supports scenarios such as the following.

Scenario	Advantages	Disadvantages
Client-side access control: A Web server or other front-end component performs all security checks before the request is submitted to MPF. MPF executes requests to external services based on the security context of a credential stored in the configuration database or (if there is no credential) MPFServiceAcct. For the latter, MPFServiceAcct must be granted access to the external services.	Concentrates security checking on the front end. Does not require Kerberos delegation or basic authentication.	Loss of granularity on external access control. Assumes that the client that invokes MPF is secure.
Windows® access control: MPF executes requests based on the COM security context of the calling user, using Kerberos delegation or basic authentication to impersonate that user in requests to external services. MPF does not perform security checking.	Authentication is done at the back end, close to the actual data. Leverages Windows security context.	Requires either Kerberos delegation or basic authentication credentials. Extra effort to set up users with security privileges for external services.
MPF access control: Provisioning servers perform security checking based on the identity's right to access: Namespaces A submit or submit trusted request method for IProvEngine or IProvQueue Public and private procedures External services (for example, before accessing Microsoft® SQL Server, a caller may have to be authorized to call Active Directory) MPF executes requests to external services based on the security context of a credential stored in the configuration database or (if there is no credential) MPFServiceAcct. For the latter, MPFServiceAcct must be granted access to the external services.	Concentrates security checking in MPF. Does not require Kerberos delegation. Simplifies external access control.	Loss of granularity on external access control. Assumes that MPF is secure.

Scenario

Advantages

Disadvantages

Client-side access control: A Web server or other front-end component performs all security checks before the request is submitted to MPF. MPF executes requests to external services based on the security context of a credential stored in the configuration database or (if there is no credential) MPFServiceAcct. For the latter, MPFServiceAcct must be granted access to the external services.

Concentrates security checking on the front end.
Does not require Kerberos delegation or basic authentication.

Loss of granularity on external access control.
Assumes that the client that invokes MPF is secure.

Windows® access control: MPF executes requests based on the COM security context of the calling user, using Kerberos delegation or basic authentication to impersonate that user in requests to external services. MPF does not perform security checking.

Authentication is done at the back end, close to the actual data.
Leverages Windows security context.

Requires either Kerberos delegation or basic authentication credentials.
Extra effort to set up users with security privileges for external services.

MPF access control: Provisioning servers perform security checking based on the identity's right to access:

Namespaces
A submit or submit trusted request method for IProvEngine or IProvQueue
Public and private procedures
External services (for example, before accessing Microsoft® SQL Server, a caller may have to be authorized to call Active Directory)

MPF executes requests to external services based on the security context of a credential stored in the configuration database or (if there is no credential) MPFServiceAcct. For the latter, MPFServiceAcct must be granted access to the external services.

Concentrates security checking in MPF.
Does not require Kerberos delegation.
Simplifies external access control.

Loss of granularity on external access control.
Assumes that MPF is secure.