At appropriate points during the processing of MSS applications and during the running of MF Directory Server, security queries are submitted to the External Security Facility. The most common security queries are:
A successful verify query establishes a security context (such as a session logon) within which further operations are performed. As the user or application performs these subsequent operations, authorization calls are made to check that he or she has appropriate authorization.
An authorization query specifies the identity of the user, the resource that he or she is attempting to access, and the resource class. For more on users and resources, see Understanding users, groups and resources. Security managers to which the query is relayed will then look for security rules that match these details. The responses from the security managers will determine whether the user is allowed to perform the requested operation. How a particular security manager processes the request is entirely dependent on that security manager.
There are two types of authorization queries used by the External Security Facility. The first, used by Enterprise Server when processing MSS applications, implements mainframe-style permissions. In this approach, a user is granted a permission level that includes all the "lower" permissions (write access implies read access and so on). The second type of query is currently used only by MF Directory Server. It implements more modern discretionary access controls (DACs). In this approach, permissions are separate from one another. For example, a user can have write access but not read access to a resource.