Server Instance Properties: Security

Restriction: This topic applies only when the Enterprise Server feature is enabled.

Use this page to define the security settings to be used with this enterprise server.

Use default Security Configuration

Check this if you want to use your default security settings for this enterprise server. To define the default settings, click Security on the menu on the left hand side, and then click Security > Default Security Configuration.

Restrict user access

Check this to cause all access to the enterprise server through Enterprise Server Administration to be checked by the security managers specified in the Security Manager Priority List.

Verify against all Security Managers

Set this if you want each Verify (sign-on, user authentication) query to be checked by all entries on the Security Manager Priority List.

If this is not set, the entries will be queried in the order that they appear on the Priority List until one gives a response of Allow, Deny, or Fail (equivalent to Deny). This response will then be used to decide what action should be taken. For example, allow the user to sign on or reject the sign-on attempt.

If this field is set, all entries on the list will be queried, and if any returns a Deny or Fail, the access request will be denied. If there are no Deny or Fail responses and at least one of the entries on the list gives Allow as its response, the request will be allowed.

If a security manager does not have a rule for the user specified in the request, it gives a response of Unknown. Whatever the setting of the Verify against all Security Managers field, if all of the entries on the priority list respond with Unknown, the request will be denied unless you have checked Allow unknown users.

Allow unknown resources

Check this if you want the security facility to permit access to any unknown resource; that is, any resource for which all entries on the priority list return Unknown.

You might use this in circumstances where you only want to restrict access to some resources.

Allow unknown users

Check this if you want to allow unknown users to log in.

Use all groups

Check this if a user requesting authorization is to have the permissions of every group to which he or she belongs.

Uncheck this if the user is to have only the permissions of the group specified in the initial security API call that requested verification (authentication) of the user's credentials. Where no group is specified in the verify call, a default group is used.

Cache limit:

Enter the maximum size in kilobytes that enterprise server's security facility can use for caching the results of security queries.

Cache TTL:

Enter the maximum time in seconds that an entry in the cache can be used to satisfy requests before the details must be requeried from the security manager.

Create audit events

Check this to enable the enterprise server to generate security audit events. These events can be captured and logged by the Audit Facility.

Configuration Information
Enter any security configuration information in this area.
Automated Execution Control Enterprise Server Credentials:
Enter the credentials to use for server start (user ID and password) to be used when the server instance is set to start when the MFDS process starts. This could be after a system re-start, or when a server is stopped from the user interface and the Restart option is selected.
ES Security Manager Priority List

This is the list of security manager (taken from the available pool) that the enterprise server can use to perform security queries.

Note: Security managers are queried in the order that they appear in the list. If the Verify against all Security Managers checkbox is not checked, the first manager in the list that responds with a definite answer will determine the result of a security query. See the text for Verify against all Security Managers for more details.

Use the up and down arrows to reposition the selected entry.

Select
Use this to select a security manager for removal or for moving to a different position in the list.
Name

This column indicates the name that used to identify a security manager.

Module

This column indicates the module used by a security manager to access an external security manager or to implement the security rules.

Description

The description column indicates the description for a security manager.

Enabled

This column indicates whether or not the security manager is enabled. If it is not enabled, it will be ignored by Directory Server and those enterprise servers that reference it.

Add

Click this to add a security manager from the pool of available managers.

Remove

Click this to remove the currently selected security manager from this list.

Note: The manager is only removed from this list, not from the available pool of managers.