During applications processing and the running of the Directory Server, Enterprise Server submits security queries to the External Security Facility (ESF), to verify that a user or system action is authorized. The ESF generates the appropriate API call and forwards this request to each configured security manager in turn.
The most common security queries are:
- Authenticating user credentials, for example when the user signs on.
- Checking that a user has the appropriate authorization to perform a particular task on a particular resource
A successful verify query establishes a security context (such as a session logon) within which further operations are performed. If the user or application performs subsequent operations outside this context, further authorization calls are made to check that he or she has appropriate authorization.
There are two types of authorization queries used by the External Security Facility:
- The first, used by Enterprise Server when processing MSS application requests, implements mainframe-style permissions. In this approach, a user is granted a permission level that includes all the "lower" permissions (write access implies read access and so on).
- The second type of query is currently used only by MF Directory Server. It implements more modern discretionary access controls (DACs). In this approach, permissions are separate from one another. For example, a user can have write access but not read access to a resource.
Note: This issuing of security queries during MSS processing is intended to emulate, as far as is feasible, the behaviour found on IBM mainframe platforms. For more information on these security queries, refer to your mainframe documentation.