Found this on Loren Halvorson's Blog...he (?) explains it best, so here's just a complete copy of what he wrote...
We are in the process of developing a common role based authorization layer for several of our applications and stumbled across the Microsoft's Authorization Manager. I had originally passed over it because I thought it was tied to Windows Server 2003, but it turns out that it runs on Windows 2000 which we are using in production, and Windows XP which developers use. On XP, just install the Windows Server 2003 Administration Tools Pack and you'll get it.
The idea seems great. It allows you to define logical operations like "CanApproveExpenseReports", map those to logical roles in your organization like "Manager". Then assign users to the roles. (The model is extremely flexible...I recommend Dave McPherson's article). There is a COM runtime and a .NET interop assembly for use from .NET, that allows your application to quickly check to see if the current user is allowed to perform some operation. Following is not the actual API, I just wanted to give you a feel for how you use it in an app:
if (azMan.CheckAccess(user, "CanApproveExpenseReport")
{
// Approve expense reports code goes here
}
It also provides an MMC snap-in tool to manage everything. If it works out, it promises to save us a ton of time.
I see the Patterns and Practices Authorization and Profile Application Block has a provider that can use it, and there is a RoleManager Provider in Whidbey that uses a part of it too. So Microsoft seems to think it fits the problem.
Actually while I'm on the subject of Whidbey, I was surprised that it doesn't seem to provide a general purpose authentication mechanism other than IsInRole. Roles are good for some things, but they are too course-grained for deciding whether a button is visible or not, or whether a user can delete items from a table. There can potentially be hundreds of these fine-grained secured operations scattered throughout your application, and hard-coding role names (if (User.IsInRole(“Manager“)...) throughout your app is not an acceptable solution in my opinion because it limits the ability to redefine the permissions of each role later on without touching code.
Authorization Manager (or AzMan for short) seems to fit the bill perfectly. However I hesitate to jump in too quickly because I don't see very much buzz about this technology on the web. I'd like to read other people's experience with it. Has anyone tried to use it in a .NET Application?