About Users, Groups, and Resources

Restriction: This topic applies only when the Enterprise Server feature is enabled.

Each item, for example, program, file, transaction, to which access is controlled is a called a resource. A resource has a name and a class, which indicates the type of the resource. For example, each enterprise server is a resource, and all enterprise servers belong to the same resource class.

A resource name must be unique within its class. That is, you can define two or more resources with the same name, provided that they belong to different classes.

When a user requests access to a resource the security facility relays the request to the external security manager, specifying the user, the resource and the resource class. The security manager will then look for resource rules that match the resource name. The processing of a request is dependent on the external security manager.

Where your ESM module provides suitable support, as is the case with the mldap_esm and vsam_esm modules, you can use the Enterprise Server Common Web Administration (ESCWA) screens to define users, groups, resource classes, and resources, which are referred to as resource entities. In defining a resource entity, you are specifying a rule against which an authorization request can be matched. Depending on your ESM, the resource entity might have a full resource name, or might contain wildcards. This enables you to write a single rule to apply to multiple resources.

With the mldap_esm and vsam_esm modules, for example, each resource entity has an Access Control List (ACL) that specifies access rights for that resource. Each entry in an ACL is referred to as an Access Control Entry, or ACE. These entries identify a user or group, and what permissions are to be granted or denied to them.

Users can be assigned to many user groups, and depending on your security manager and your security configuration a user may be allowed the permissions of all the groups to which he or she belongs, a particular group specified when the user signed on, or a default group specified as part of the user definition. See Using all groups to which a user belongs for more information.

Note: For Micro Focus Directory Server access, users always have the permissions of all the groups to which they belong.