Following up on a previous post about using Authorization Manager to implement Role Based security in your application, I’ve created a simple example that shows how to use AzMan to control access to commands in ArcMap (or ArcCatalog, or anything really).
As noted in that post, if you are working on Windows XP you will need the Windows Server 2003 admin kit, which will install the AzMan library and it’s management console (azman.msc), which you will need before you can run the example.
About the Sample
Before we jump into the code and how to configure it on your system, let’s review the sample. The premise here is that you have two “special” types of users on your system – “managers” and “power users”. You want to create tools that are specifically for these users, but you also want to ensure that other users can not access to these tools. Maybe these tools allow the managers to grant formal “approval”, or allow the power user to circumvent some business logic to handle some corner cases. Whatever the reason, I’ve seen this to be a common scenario in Citrix hosted environments where everyone runs exactly the same dlls and you can’t solve the problem by simply not installing certain tools on some machines.
In the sample, the tools themselves do nothing more than pop message boxes indicating if you have access to the command – after all the point of the sample is how to apply security, not to implement some particular business logic. 
Getting it Running
The main thing you need to do is edit the AzMan repository to grant your self access to the commands. Once you have done that, you’ll need to edit the path to the AzMan repository file in the command classes. For a real implementation I’d suggest pulling the path to the repository from the ArcMap.exe.config file, or store it in an application extension.
Step by Step
First, download the code.
Next, unzip it somewhere. You should have a folder structure like the one shown below.
Assuming you have AzMan installed, go to Start –> run azman.msc. This will open AzMan. Right click on the top level node and navigate to the repository xml file shown above. Open this in AzMan. Open up the tree a little until you can see the Role Assignments folder.
Now, all you have to do is add yourself to the role. To do this, right click on the Role (Managers or Power Users) and select “Assign Windows Users and Groups…”. You will then get a standard windows dialog for selecting users and groups. Simply type in your windows login and click “Check Names”. If you are on a domain, you will need to add that in like this DOMAINusername. If you are using a local login, just your login name should be fine. Once you’ve added yourself, it should look like this…
Next, open the solution in Visual Studio 2005. Open up the ManagerCommand.cs and PowerUserCommand.cs files. You need to change the path to the AzMan file. There is a private member variable setup for this – just change the path to where your repository file is located.
private string _pathToAzManFile = “msxml://g:/your/path/here/dabo_repository.xml”;
Finally, build it. This will register the commands in ArcMap. Then open ArcMap, got to Tools –> Customize, and in the “DaBo_Sample” category you will find two commands – Manager Command and Power User Command.
Drag these onto a toolbar, and click away. Depending on your access, you’ll get different message boxes.
Summary
Although this sample is very simple, and by no means shows any sort of best practices as far as coding standards go, it does show how easy it is to use AzMan to check security credentials from within ArcMap. There are lots of places you can go from here, and over the following months I’ll post about some of the ways we are implementing this on various projects.
