In the previous section, we compiled and installed a COM+ application
that contained our example component. We used .NET attributes to
specify the COM+ security settings, but we need to complete the
component configuration before the component can be used. In this
section, we demonstrate how to assign roles to Windows user accounts
and then continue to demonstrate how the COM+ administration tool can
be used as an alternative to .NET attributes or as a means to alter
the security configuration specified using attributes.
1. Viewing the COM+ Catalogue
The collection of COM+ applications installed on a
computer is called the COM+ Catalogue. The catalogue is administered
with the Component Services tool, which is included in the
Administrative Tools section of the Windows Control Panels. Figure 1 shows the Component Services tool as it
appears when first started.
Figure 1. The Component Services tool
Expand the Component Services tree and drill down to the COM+
catalogue for the local computer; Figure 2 shows
the list of COM+ services for a standalone computer. The list of
applications includes our example application (called
SecurityProTracker, named after the assembly we
created) as well as system applications that operate as part of
Figure 2. The COM+ catalogue
2. Populating COM+ Application Roles
SecurityProTracker item, and you will see details
of the COM+ application that we created in the previous section. The
Component Services explorer provides
information grouped into Components, Legacy Components, and Roles.
Expanding the Roles item lists the roles defined by the application,
as shown in Figure 3.
Figure 3. The roles associated with the SecurityProTracker COM+ application
You will see icons representing the roles that we specified with the
SecurityRole attribute; these roles are Developer,
Manager, Tester, and User. You will also see another role, named
Marshaler—see the sidebar for details. The COM+ system
processed the attributes from our assembly to create these roles, but
they are not yet assigned to user accounts, and so clients cannot
access our component. In this section, we demonstrate the simple
process of assigning roles to user accounts in order to complete the
configuration of our example component.
When you install a serviced component that uses the
SecureMethod attribute, the COM+ system will
automatically create the Marshaler role. The
SecureMethod attribute indicates that you wish to
apply RBS access control on individual methods defined by the
component, so that, for example, users assigned the User role are
able to access only the ViewAllDefects method.
The problem this creates is that users with this role have not been
granted permission to create new instances of the component or to
manage the disposal of component instances (because the constructor
and the methods of the IDispose interface are not
exposed to the Developer role).
When assigning a role that has been applied to individual methods,
you should also assign the Marshaler role. Assigning the Marshaler
role to a user account grants that account permission to create new
instances of a component, and to call the methods defined by the
interfaces; in essence, assigning this role confers the right to
create and manage instances of a serviced component.
To assign a COM+ role to a user account, expand the role to reveal
the Users item, and right-click to display the menu shown in Figure 4.
Figure 4. Adding a new user to a COM+ role
Select the User item from the New menu to display the dialog box
illustrated by Figure 5. Assign a role by typing
the name of the user account into the text box—you can specify
multiple accounts by separating the account names with a semi-colon.
A useful feature is the ability to assign a role to a Windows group,
which is equivalent to assigning the role to all of the individual
accounts contained within the group. Figure 5
illustrates adding the users Tim, Tom, Tammy, and the group
"QA Group" to the COM+ Tester role.
Figure 5. The Select Users or Groups dialog
Pressing the OK button in the Select Users or Groups dialog assigns
the roles to the specified accounts and groups; Figure 6 shows the effect of adding Tim, Tom, Tammy,
and the QA Group to the Tester role.
Figure 6. The accounts and groups assigned the COM+ Tester role