Before we leave the topic of access control behind and move on to other subjects, it is worth mentioning the Authorization Manager (AZMAN). AZMAN is not new in Windows Server 2008, but is not very well known. It is used to allow third-party developers to implement their own access control mechanisms, orthogonal to those provided by the operating system. Notably, developers can leverage AZMAN to implement a role-based access control (RBAC) system.

What we have described so far is identity-based access control. Instead of basing the access control on the identity of the subject, RBAC bases it on role membership. In and of itself this is not incompatible with identity-based access control, but the constructs used in RBAC are tied to a representation ...