This topic describes the execution control of COBOL programs running as services and executables.
When a COBOL program runs as a Micro Focus service in an Enterprise Server instance, it inherits its security credentials from the server manager process that started the SEP.
Usually, Enterprise Server is started using the Micro Focus Enterprise Server Administration user interface, the Web interface to the MF Directory Server. In this event, Enterprise Server Administration (ES Admin) runs as a Windows system service. It is listed as Micro Focus Directory Server in the Services Control Panel. Windows system services run under the user account specified in their Startup options. You can view and change the Startup options using the Services Control Panel.
If Enterprise Server is started using the casstart program, run from the command line by an interactive user, then COBOL service programs use that user's security credentials.
When Enterprise Server is installed, the MF Directory Server is installed as a system service using the Local System user account, with the Allow service to interact with the desktop option selected. With this option selected:
The Local System account does not have privileges for network file access. That means that COBOL service programs that are running in an Enterprise Server instance that was started through MFDS, using the default configuration, are unable to open network files. To enable network file access from your COBOL service programs, use one of these methods:
COBOL service programs use the logged-in user's network credentials and can access the files that the logged-in user has authorization for.
The disadvantage of this method is that it must be done manually, that is, the Enterprise Server instance must be stopped manually (using the casstop command) rather than through ES Admin.
The disadvantages of this method are similar to the method above, though ES Admin can be used to start and stop Enterprise Server instances in this case.
The main disadvantage of this method is that Enterprise Server cannot display the console daemon window. However, this does improve the security of the installation, since access to the local desktop is a security risk. Running COBOL application programs under a normal user account (if it has reduced privileges), rather than under the Local System account (which is equivalent to an Administrator account for local security purposes) is more secure.
We recommend that for Enterprise Server on Windows (whether or not your COBOL service programs need network file access), you create a user account specifically for MFDS and the COBOL service programs running under it. Set the permissions on this account appropriately, that is, don't grant it any permissions that the COBOL programs don't need. For additional security, you can set ACLs to grant or deny access to particular objects (directories, files, registry keys) for this user to further control what COBOL service programs can do.