Windows Users and ESF

If you want to use your Windows user accounts for ES/MSS users, and you use Active Directory to store the Windows user information for your domain, you can use the configuration described here to enable ES security with Windows users.

More specifically, with this configuration:

• Windows users are stored in Active Directory
• ES/MSS users are also Windows users (you can still restrict access to ES/MSS to a subset of Windows users by setting the appropriate ES/MSS resource permissions)
• ES/MSS users will sign on to MSS with their Windows usernames and passwords
• Windows will manage passwords (so Windows password policies will apply)
• MSS user attributes (eg operator class) will be stored as additional attributes of the Windows user objects in AD

For many installations, this provides the best of both worlds: mainframe-compatible security for ES/MSS, but there is only one set of user accounts, and they're managed with standard Windows tools.

The essence of this configuration is two ESM modules. Both use Active Directory, but through different interfaces, and they perform different tasks. The OS ESM module will process user sign-on (Verify) requests by calling standard Windows APIs for user login and (if requested) password change. Windows will handle these calls by communicating with the domain controller, which will read and update Active Directory. The MLDAP ESM module will make LDAP requests to AD to get MSS user attributes and resource access control rules.

Like most ESF security configurations, this one can be used for some or all ES servers and/or for MFDS.