You can query role members with AzManPermissions. You have to connect directly to the AzMan store to perform such querying. If you need this functionality on a client which does not have direct connection to the store, you have to implement a service wrapper over these features.
To use any of these features, first you have to specify the AzMan connection string and application name as described in Connect to authorization store directly.

Members in a role
You can retrieve all members' SID assigned explicitly to the AzMan role with the AzManOperationHelper.MembersInRole method.
Example:
  string[] roleUsers = AzManOperationHelper.MembersInRole("rolename");

You will get the SID of every Windows account (user or group) that is assigned explicitly to the specified role.
Note that you won't get information about implicitly assigned accounts (for example accounts that are members of group explicitly assigned to the role).

Member names in a role
You can retrieve all members' name assigned explicitly to the AzMan role with the AzManOperationHelper.MemberNamesInRole method.
Example:
  string[] roleUserNames = AzManOperationHelper.MemberNamesInRole("rolename");

You will get the name of every Windows account (user or group) that is assigned explicitly to the specified role. The format of the name is mostly the UPN (user principal name), but sometimes the SAM account name format. I can't figure out why this happens, as I always call the same AzMan function.
Note that you won't get information about implicitly assigned accounts (for example accounts that are members of group explicitly assigned to the role).

All members in a role
You can retrieve all members assigned to the AzMan role with the AzManOperationHelper.AllMembersInRole methods.
Examples:
  MemberSearchResult[] roleUsers = AzManOperationHelper.AllMembersInRole("rolename");
  MemberSearchResult[] roleUsers = AzManOperationHelper.AllMembersInRole("rolename", "mail");
  MemberSearchResult[] roleUsers = AzManOperationHelper.AllMembersInRole("rolename", new string[] { "mail", "cn" });

You will get a MemberSearchResult of every Windows user account that is assigned explicitly or implicitly to the specified role. It will recursively search for users through AD groups and AzMan application groups. It also considers non members specified in AzMan application groups.
Each MemberSearchResult instance will contain information about one user account. It contains SID, DistinguishedName and AccountName properties for common tasks, but you can specify any additional AD properties to collect for each user through the overloads (see the 2nd and 3rd examples).

Application group names in a role
You can retrieve all AzMan application group's name assigned explicitly to the AzMan role with the AzManOperationHelper.AppMembersInRole method.
Example:
  string[] roleAppMembers = AzManOperationHelper.AppMembersInRole("rolename");

You will get the name of every application group that is assigned explicitly to the specified role.
Note that you won't get information about implicitly assigned application groups (for example application groups that are members of another application group explicitly assigned to the role).

Last edited Aug 23, 2012 at 1:53 PM by pjenei, version 1

Comments

No comments yet.