Programmatically assign a role to a scope in Microsoft AzMan?

Question

I'm using AzMan on Windows Server 2003, and I've written a management application that completely hides AzMan and the MMC from the security team.
However, I'm having a hard time implementing one of the features in the MMC.

I have a role called User, and a role called Branch User which contains nothing but the User role. I want to assign the User role at the all data (Role Assignments) level, and the Branch User role at the scope level.
However, I can't find a way to programmatically assign the Branch User role to a scope without it losing its definition. I can assign the role (by calling CreateRole on the scope) but it seems to just create a new blank role. When I right click it in the MMC, click on properties, and then Show Definition, it doesn't have anything.

Also, if I try to then call AddTask on that IAzRole object to add User to it, it doesn't quite work as expected. It will add all the tasks in the User role to my Branch User role, but not the role itself.

Is there a way to do this?

Answer 1

Yes, on WIN2k3 that is the correct way. Unfortunately in AzMan versions before Vista/Win2k8, a role definition is a Task with the task.IsRoleDefinition set to 1. It has it's own well named class in newer versions.

Basically CreateRole() is creating a Role Assignment, not a Role Definition (this doesn't necessarily need to have the name Branch User, it could be anything). A Role Assignment contains the links between definitions of roles/tasks/operations and members/users.

You are then adding the Role Branch User to the Role Assignment using app.AddTask().

To do this only for a particular Scope you need to call app.OpenScope (or app.CreateScope, if new) which returns an IAzScope object. You can then do all the above on scope.CreateTask or scope.CreateRole.