My organization has been using Active Directory groups to handle permissions to simple business applications, folders, and SQL Server objects. A coworker has been suggesting that we use Microsoft's AZManager to handle this kind of thing, but I don't really understand what this tool does that AD groups do not and he isn't sure either.
I understand from the documentation that AZManager does integrate with AD, but is there anything that it offers that AD doesn't already do? Am I mistaken in thinking that we won't need it?
Authorization Manager provides an abstraction layer between the generic concept of, "I want this group to be able to do this thing," and the discrete set of permissions required to make that happen. Roles are defined in the product as the permission sets required for that role. When groups are added to roles it assigns that group the role's permissions (which can be done a number of ways). This is how it simplifies managing permissions. In order to do this it has to run as a high level user.
In essence, it isn't any better than straight up AD permissions. It just simplifies assigning complex permissions.