In a single-CPU environment, user authentication is carried out locally. When a user logs on, the user is either accepted or rejected by the native security subsystem. However, in a distributed environment, authentication cannot be carried out in the same way, because remote users do not log on to the machine where the security subsystem resides. Instead, they log on to a program that runs on a client workstation, which typically has no interface to the security subsystem on the server.
To solve this problem, the connector offers an interface with security subsystems such as RACF, CA-TOP SECRET, and CA-ACF2. It does so using the Security Authorization Facility (SAF), which interfaces to the aforementioned security subsystems. The API provides a means for submitting a user ID and password to the server. The server, when it receives this information, hands it off to SAF for action. Given this capability, the appropriate security subsystem can authenticate the remote user, and all resource rules on the host remain intact.
If a high degree of security is unnecessary, the server can represent all users on the workstation without forcing them to submit individual user IDs and passwords.
In some cases, additional security for accessing fields, or values within fields, is required. For example, it may be necessary to constrain a class of users from viewing salary values exceeding 35000. In such a case, security would be driven by password values. Certain passwords would carry with them the right to view all salaries; others would not. This level of security can be implemented using DBA at the server. EDAPREPARE and EDASQL parameters provide the information required for the server. See the iWay Server Administration manual for your specific platform for more information on DBA security.
| iWay Software |