ESF is enabled on a per-region basis by associating the region with a security configuration. Regions which use the same cross-region database can share security configurations. The security configuration can specify one or more security managers (ESMs) to use. See ESF Configuration for more information about configuration.

At region startup, Enterprise Server for .NET configures ESF. If there is no security configuration (or if the configuration effectively disables security, for example by not specifying any ESMs to use), ESF is configured to simply return "allow" for all security requests.

During processing, the Enterprise Server for .NET engine makes various calls to ESF. (Application programs can also call ESF to make their own security checks, using various APIs.) If ESF is enabled, it will process the requests by calling each configured ESM module, which in turn contacts its ESM to resolve the request, as applicable. (Some ESMs do not handle certain types of requests.) In most cases, ESF calls ESM modules until one returns a definite response (allow or deny the request).

If none of the ESM modules can provide an answer for the request, ESF applies a default result of allow or deny based on its configuration.

The result is returned to the Enterprise Server for .NET engine, which will take the appropriate action.