About Users, Groups and Resources

Each item (for example, program, file, transaction) to which access is controlled is a called a resource. A resource has a name and a class, which indicates the type of the resource. For example, each enterprise server is a resource, and all enterprise servers belong to the same resource class.

A resource name must be unique within its class. That is, you can define two or more resources with the same name, provided that they belong to different classes.

MSS resources use various class names defined by IBM. Non-MSS resources, such as ES configuration definitions in MF Directory Server, use resource class names defined by Micro Focus (using syntax that's not permitted for MSS resource class names, to avoid collisions). Users can also define their own resource classes for performing explicit access checks in applications.

When a user requests access to a resource the security facility relays the request to the external security manager, specifying the user, the resource and the resource class. The security manager will then look for resource rules that match the resource name. The processing of a request is dependent on the external security manager.

Where your ESM module provides suitable support, as is the case with the mldap_esm module, you can use the Enterprise Server Administration screens to define users, groups, resource classes and resources (referred to as resource entities). In defining a resource entity, you are specifying a rule against which an authorization request can be matched. Depending on your ESM, the resource entity might have a full resource name, or might contain wildcards. This allows you to write a single rule to apply to multiple resources.

With the mldap_esm module, for example, each resource entity has an Access Control List (ACL) that specifies access rights for that resource. Each entry in an ACL is referred to as an Access Control Entry, or ACE. These entries identify a user or group, and what permissions are to be granted or denied to them.

Users can be assigned to many user groups, and depending on your security manager and your security configuration a user may be allowed the permissions of all the groups to which he or she belongs, a particular group specified when the user signed on, or a default group specified as part of the user definition. For more details see Using all groups to which a user belongs.

Note: For Micro Focus Directory Server access, users always have the permissions of all the groups to which they belong.