ESF Passtokens

Passtokens are an optional ESF feature for communicating a user's identity between security domains. Passtokens let one Enterprise Server component (an Enterprise Server region or MFDS) sign on to another Enterprise Server component on behalf of a user, without requiring that user's normal credentials (typically a password).

In effect, a passtoken is a one-time or limited-time substitute for a user's password. A passtoken is associated with a user (and signon group) when it is created, and can only be used to sign on as that user.

If passtokens are enabled, they may be used for these purposes:

• Administrator convenience. When an administrator is signed on to either the MFDS administrative user interface or ESMAC, and switches to the other, the component that the administrator is coming from will send a passtoken to the component the administrator is going to. If the destination accepts the passtoken and the administrator has authority there, no manual signon will be necessary and the administrator can switch seamlessly between the two interfaces.
• Inter-system communication. Some MTO facilities allow users with the appropriate rights to invoke functions or programs in other regions. In some cases these facilities can use passtokens rather than actual passwords, to avoid insecure storage and transmission of passwords.

Not all ESM Modules support passtokens. If you are using a module that does not do so to verify users, user identities will not be automatically transferred across security domains, and users will have to explicitly sign on with their normal credentials in each domain.