Enterprise Server Execution Control Under Windows

Restriction: This topic applies only when the Enterprise Server feature is enabled.

This topic describes the execution control of COBOL programs running as services and executables.

When a COBOL program runs as a Micro Focus service in an enterprise server instance, it inherits its security credentials from the server manager process that started the SEP.

Usually, Enterprise Server is started using the Micro Focus Enterprise Server Administration user interface, the Web interface to the MF Directory Server. In this event, Enterprise Server Administration (ES Admin) runs as a Windows system service. It is listed as Micro Focus Directory Server in the Services Control Panel. Windows system services run under the user account specified in their Startup options. You can view and change the Startup options using the Services Control Panel.

If Enterprise Server is started using the casstart program, run from the command line by an interactive user, then COBOL service programs use that user's security credentials.

When Enterprise Server is installed, the MF Directory Server is installed as a system service using the Local System user account, with the Allow service to interact with the desktop option selected. With this option selected:

The Local System account does not have privileges for network file access. That means that COBOL service programs that are running in an enterprise server instance that was started through MFDS, using the default configuration, are unable to open network files. To enable network file access from your COBOL service programs, use one of these methods:

We recommend that for Enterprise Server on Windows (whether or not your COBOL service programs need network file access), you create a user account specifically for MFDS and the COBOL service programs running under it. Set the permissions on this account appropriately, that is, don't grant it any permissions that the COBOL programs don't need. For additional security, you can set ACLs to grant or deny access to particular objects (directories, files, registry keys) for this user to further control what COBOL service programs can do.