Restricting ESCWA with ESF

Security configuration is performed from the Security node in the navigation pane. You can specify multiple external security managers which you can add to the security manager list, also known as the security manager stack.

ESCWA uses an External Security Facility (ESF) to relay authorization requests to one or more security managers. These security managers can control authorization requests for ESCWA itself, directory servers, and enterprise server instances that ESCWA administers.

The order of the security managers on the security manager list determines the order in which they are queried by the security facility. In addition you can specify the following settings to modify the order that the security managers are queried:

Verify against all Security Managers

Set this if you want each security query to be checked by all entries on the Security Manager Priority List.

If this is not set, the entries will be queried in the order that they appear on the Priority List until one gives a response of Allow, Deny, or Fail (equivalent to Deny). This response will then be used to decide what action should be taken.

If this field is set, all entries on the list will be queried, and if any returns a Deny or Fail, the access request will be denied. If there are no Deny or Fail responses and at least one of the entries on the list gives Allow as its response, the request will be allowed.

If a security manager does not have a rule for the resource or user specified in the request, it gives a response of Unknown. Whatever the setting of the Verify against all Security Managers field, if all of the entries on the priority list respond with Unknown, the request will be denied unless you have checked Allow unknown resources or Allow unknown users.

Allow unknown resources

Check this if you want the security facility to permit access to any unknown resource; that is, any resource for which all entries on the priority list return Unknown.

You might use this in circumstances where you only want to restrict access to some resources.

Allow unknown users

Check this if you want to allow unknown users to log in.

Create audit events

Check this to enable the enterprise server or Directory Server to generate security audit events. These events can be captured and logged by the Audit Facility.

Use all groups

Check this if a user requesting authorization is to have the permissions of every group to which he or she belongs.

Uncheck this if the user is to have only the permissions of the group specified in the initial security API call that requested verification (authentication) of the user's credentials. Where no group is specified in the verify call, a default group is used.

ESCWA enables you to display and administer large numbers of users, groups, and resources in the configured security manager.

Note: The user used to login to ESCWA requires Update, Add, Delete access from the User Administration resource. This resource can be found under the Enterprise Server Administration resource class in your data store.
Important: Support for nested groups is not provided within the interface. If required, you can administer nested groups from the esfadmin command-line utility.