The External Security Facility (ESF) lets ES authorize users and control access to resources by querying one or more external security managers (ESMs), which are facilities outside ES that can verify users and/or supply rules for resource access control. ES communicates with ESMs using ESM Modules, plug-ins that are loaded by ESF based on the security configuration created by the ES administrator.
ESF lets you secure ES using OS or third-party security mechanisms. You can have ES verify MSS users via the operating system, so MSS user accounts are managed by the OS, for example. You also now have more flexible control over the access that MSS users have to various resources (programs, datasets, etc).
One popular option is to put user definitions and resource control rules into an LDAP directory, such as Microsoft's Active Directory (AD), or Active Directory Application Mode (ADAM), which is a simplified AD suitable for running on workstations and maintaining application data.