Configuration

The security configuration contains various options, such as whether to permit access to resources that have no applicable security rules, and a list of security manager names. These names correspond to security manager configurations, which are also stored in the cross-region database. Security manager configurations can be shared by security configurations.

When a security configuration lists more than one security manager, the security managers are invoked in the order specified. This is often important in determining how security requests are handled.

A security manager configuration specifies the ESM module to use, plus various parameters and options for interacting with the ESM and how the ESM module should behave. The precise meaning of the various settings varies among ESM modules.

Security configurations and security manager configurations also contain a "configuration text" area, which is free-format text. ESF and most ESM modules allow various additional options to be configured in this area using "ini-format" text:

[section-name]
 name=value
.....
[section-name
....

Additional details can be found later in this document.

For example, an administrator might create the following security manager configurations:

Then, the administrator creates two security configurations:

The administrator configures the production and QA / UAT regions to use the Production security configuration, and developers create their own development regions using the Development configuration.

Creating and modifying ESF configurations

You can create and edit ESF security configurations and security manager configurations using the ESF Administration user interface. Enterprise Server for .NET also provides a command-line tool, seeseccfg.exe, for administering these definitions. It can create, delete, and list definitions in a cross-region database, and import/ export them from/ to XML, which can be edited manually, backed up, committed to a change-management system, etc.

To associate a security configuration with a region, you can use the ESF Administration user interface. You can also edit the region definition file (an XML document) directly.

In the Enterprise Server for .NET Administration tool, expand the System section of the SEE Administration tree to find the "Security Configurations and Managers" area, to create or modify security definitions. To associate a security configuration with a region, use the region definition editor as you would for other region properties.

Running the seeseccfg tool with no parameters will display a usage message.

Security Configuration properties

These are the properties that can be defined for a security configuration:

  • Name

    Required. The name of the security configuration.

  • Cache limit and Cache time-to-live

    Currently these have no effect. When ESF caching is implemented, the limit will be an optional integer specifying the approximate cache size in KB (0 or empty disables caching), and time-to-live will be an integer specifying the time in seconds before a cache entry expires.

  • Allow unknown resources

    Determines the result of a resource access query when none of the configured managers can answer it. If this option is enabled, access is allowed; otherwise access is denied.

  • Allow unknown users

    Determines the result of a user signon when none of the configured managers can answer it. If this option is enabled, the user is signed on; otherwise the user is rejected.

  • Create audit events

    Currently this has no effect.

  • Use all groups

    If enabled, permissions for each task are based on the signed-on user and all the groups that user belongs to; otherwise, only the permissions of that user and the sign-on group apply. (If no sign-on group was specified when the user signed on, the user's default group is used.) See the native ES documentation for more information.

  • Verify against all

    If this option is enabled, a user is signed on only if all the security managers associated with this configuration permit it. If the option is not enabled, the user sign-on process (Verify request) stops when one manager allows the sign-on.

  • Security Managers

    Lists the managers which will be invoked, in order, to process each security request.

  • Configuration

    An area for free-format configuration text. By convention, this is ini-format text, as described above. In this release no settings are defined for this area.

Security Manager properties

The properties that can be defined for a security manager:

  • Name

    Required. The name of this security manager.

  • Description

    Optional description text for the manager.

  • ESM module name

    Required. The name of the ESM module. This can be a complete pathname or just the name of the module with or without the .dll extension (for example "LdapEsm"). If a path is not specified, the module will be loaded from binAnyCpu\SEE\System in the product installation directory. See the next section for modules supplied with this release.

  • Cache limit and Cache time-to-live

    Currently these have no effect. See the description under Security Configuration properties above.

  • Disable security manager

    If checked, this security manager will not be used. It can be included in a security configuration but will not be loaded or invoked.

  • Connection path

    Instructs the ESM module how to connect to its ESM. The format depends on the modules. Of the modules included in this release, only the LdapEsm uses this property. See the section on configuring LdapEsm below.

  • Authorized ID and Password

    Some ESM modules use these properties to authenticate themselves to their ESMs. Currently only the LdapEsm uses these properties. See the section on configuring LdapEsm below.

  • Configuration

    An area for free-format configuration text. By convention, this is ini-format text, as described above. The interpretation of this text depends on the ESM module. See the sections below on configuring individual modules.

These properties can be configured using the Enterprise Server for .NET administration console or the seeseccfg utility.