MTS offers two types of package security:
Provides interfaces that you can use to create customized security within your application logic. See the MTS Programmer’s Guide for more information about using programmatic security.
Allows you to define roles and assign Windows NT users or groups of users to roles using the MTS Explorer.
Important Library package do not support role checking. In order to enable security, you must change the activation setting to a server package. See the Setting MTS Activation Properties topic for more information about library and server packages.
Administrators use declarative security to secure packages, ensuring that only clients with access privileges can run the package. Access is granted through the Explorer using MTS roles and Windows NT-based user and group accounts. Note that since declarative security uses Windows NT accounts for authentication, you will not be able to use declarative security for a package running on a Windows 95 computer.
To set up declarative security for a package, perform the following steps:
See the Adding a New MTS Role topic for a description of how to add a new role.
See the Mapping MTS Roles to Users and Groups topic to learn how to add users and groups to a role.
If you do not map the user account you're currently using to the Administrator role before enabling System package security, you will be refused access to MTS Explorer functions that modify configuration (such as adding users to roles). If this happens, you need to log on as a user that has been mapped to the Administrator role. To protect administrators from being locked out of the System package, the MTS Explorer displays an error message if you try to:
Note If MTS is installed on a server whose role is a primary or backup domain controller, a user must be a domain administrator in order to manage packages in the MTS Explorer.
If you do not enable security for the package, then roles for the component or interface will not be checked by MTS. In addition, if you do not have security enabled for a component, MTS will not check roles for the component's interface.
See the Adding a New MTS Role topic for a description of how to assign a role to the Role Membership folder.
Note Turning off declarative security for individual components or the package is useful during debugging of your package.
Consider setting up access restrictions to an inventory server package. As the system administrator, you may want to restrict access to the Inventory package to members of the sales department. In order to do so, first select the Role folder for the Inventory package, click the New option on the Action menu, and type "Sales" as the name of the new role. Then select the Users folder, click New on the Action menu, and enter the name of the Windows NT group account for the sales department. Add the Sales role to each component's Role Membership folder. At this point, only members of the sales department are allowed to access the Inventory package. Finally, select that package, go to the Security tab of the property sheets, and select the Enable authorization checking checkbox in order to turn on the new security settings for the package.
If you want to restrict access to a specific component within a package, you must understand how components in the package call one another. If a component is directly called by a base client, MTS will check roles for the component. If one component calls another component in the same package, MTS will not check roles because components within the same package are assumed to "trust" one another.
Let's say that you wanted to configure roles to permit a client to call the CheckInventory component, and restrict the client from calling the Backorder component directly. Both the CheckInventory and Backorder components are in the Inventory package. You must first set the appropriate role on the CheckInventory component for the client. Then ensure that the Backorder component has no roles that could map to the client identity. Since the CheckInventory and Backorder components share a package, no role checking will be performed when the CheckInventory component calls the Backorder component.
The CheckInventory component may call the Backorder component on behalf of the client, though, if the following conditions are fulfilled:
This allows you to create packages containing mutually trusted components while restricting access to select components.
To set up role checking for original callers that directly call the Backorder component, select the Role Membership folder for the Backorder component, click New on the Action menu, and choose the Sales role. Now that the Sales role (with mapped users) is assigned to the Backorder component, only members of the sales department will be able to run the Backorder component to view out-of-stock items. To activate the new security setting, select the Enable authorization checking checkbox for the Inventory package as well as the Backorder component.
For more information about role checking, see the Programmatic Security topic in the MTS Programmer's Guide.
You can also shut down all server packages at one time, which combines steps 4 and 7. To shut down all server packages, select My Computer and choose the Shut Down Server Processes option in the Action menu.
After you install and configure your package on the deployment server, you may want to lock your package so that component configurations cannot be modified. Refer to the Locking Your Package topic for more information about locking your package configuration.
See Also
System Package, Roles Folder, Users Folder, Role Membership Folder, Managing Users for MTS Roles, Microsoft Transaction Server Programmer's Guide