Designing the Security Policy

Restriction: This topic applies only when the Enterprise Server feature is enabled.

The design and introduction of security policy requires careful planning to ensure that the measures adopted are appropriate to the systems being used. Such considerations are beyond the scope of this documentation. This topic gives a brief overview of the steps involved in using the Security Facility to control user authentication and authorization, and resource access control.

  1. Before you can use the Security Facility, you must decide which external security managers you are going to use and, if you plan to use multiple security managers, how you want to divide the responsibilities between them. Most installations use a single external security manager.
  2. Having done this you must define, within the repositories used by those managers, the users, resources and rules that you require. This may involve migration of user and resource details from legacy Directory Server and Enterprise Server security definitions, and in the case of LDAP repositories used with the MLDAP ESM Module, modifications to the schema to support the security information.
  3. The next step is to specify within Directory Server the security managers, the ESM Modules that will be used to connect to them, and the associated configuration information. In doing this you create a pool of security manager definitions from which you can choose the ones that you require for particular enterprise servers.
  4. At this point, you can begin to define security configuration options. You can have different configuration options for individual enterprise servers, and for Directory Server. You can also have a default configuration that applies to any enterprise server that does not have its own configuration.
  5. The configuration options include an ordered list of references to the security managers that you will use. Hence, as with the other options, you can use different lists for Directory Server and individual enterprise servers, and you can have a default list used by multiple servers.

    The order of the managers on the list determines the order in which they are queried when handling a security request, and this may, depending on other configuration options, affect the result of a query.

    You can now add the appropriate security managers from the security manager pool to the list that you are using.