Enabling MTS Package Security

MTS offers two types of package security:

Provides interfaces that you can use to create customized security within your application logic. See the MTS Programmer’s Guide for more information about using programmatic security.

Allows you to define roles and assign Windows NT users or groups of users to roles using the MTS Explorer.

Important Library package do not support role checking. In order to enable security, you must change the activation setting to a server package. See the Setting MTS Activation Properties topic for more information about library and server packages.

Administrators use declarative security to secure packages, ensuring that only clients with access privileges can run the package. Access is granted through the Explorer using MTS roles and Windows NT-based user and group accounts. Note that since declarative security uses Windows NT accounts for authentication, you will not be able to use declarative security for a package running on a Windows 95 computer.

To set up declarative security for a package, perform the following steps:

  1. Define roles at the package level using the New Role dialog box.

See the Adding a New MTS Role topic for a description of how to add a new role.

  1. Map users to roles using the Add New Users to Roles dialog box. Note that a package with no valid users in any Role cannot be called.

See the Mapping MTS Roles to Users and Groups topic to learn how to add users and groups to a role.

  1. Assign the role that you defined to the Role Membership folder of a component or interface if you want to restrict access to a specific component or interface.
  2. Enable security for the package on the Security tab of the Package property sheets. This topic contains a description for how to enable authorization checking.

If you do not map the user account you're currently using to the Administrator role before enabling System package security, you will be refused access to MTS Explorer functions that modify configuration (such as adding users to roles). If this happens, you need to log on as a user that has been mapped to the Administrator role. To protect administrators from being locked out of the System package, the MTS Explorer displays an error message if you try to:

Note If MTS is installed on a server whose role is a primary or backup domain controller, a user must be a domain administrator in order to manage packages in the MTS Explorer.

If you do not enable security for the package, then roles for the component or interface will not be checked by MTS. In addition, if you do not have security enabled for a component, MTS will not check roles for the component's interface.

See the Adding a New MTS Role topic for a description of how to assign a role to the Role Membership folder.

Note Turning off declarative security for individual components or the package is useful during debugging of your package.

Consider setting up access restrictions to an inventory server package. As the system administrator, you may want to restrict access to the Inventory package to members of the sales department. In order to do so, first select the Role folder for the Inventory package, click the New option on the Action menu, and type "Sales" as the name of the new role. Then select the Users folder, click New on the Action menu, and enter the name of the Windows NT group account for the sales department. Add the Sales role to each component's Role Membership folder. At this point, only members of the sales department are allowed to access the Inventory package. Finally, select that package, go to the Security tab of the property sheets, and select the Enable authorization checking checkbox in order to turn on the new security settings for the package.

If you want to restrict access to a specific component within a package, you must understand how components in the package call one another. If a component is directly called by a base client, MTS will check roles for the component. If one component calls another component in the same package, MTS will not check roles because components within the same package are assumed to "trust" one another.

Let's say that you wanted to configure roles to permit a client to call the CheckInventory component, and restrict the client from calling the Backorder component directly. Both the CheckInventory and Backorder components are in the Inventory package. You must first set the appropriate role on the CheckInventory component for the client. Then ensure that the Backorder component has no roles that could map to the client identity. Since the CheckInventory and Backorder components share a package, no role checking will be performed when the CheckInventory component calls the Backorder component.

The CheckInventory component may call the Backorder component on behalf of the client, though, if the following conditions are fulfilled:

This allows you to create packages containing mutually trusted components while restricting access to select components.

To set up role checking for original callers that directly call the Backorder component, select the Role Membership folder for the Backorder component, click New on the Action menu, and choose the Sales role. Now that the Sales role (with mapped users) is assigned to the Backorder component, only members of the sales department will be able to run the Backorder component to view out-of-stock items. To activate the new security setting, select the Enable authorization checking checkbox for the Inventory package as well as the Backorder component.

For more information about role checking, see the Programmatic Security topic in the MTS Programmer's Guide.

To enable security authorization:
  1. Map your user account to the Administrator role of the System Package if you have not already done so.
  2. Select the System Package, and choose Properties from the Action or right-click menu.
  3. Go to the security tab and select the Enable authorization checking checkbox.
  4. Stop the System Package server process by selecting System Package, right-clicking, and choosing the Shut Down option.

You can also shut down all server packages at one time, which combines steps 4 and 7. To shut down all server packages, select My Computer and choose the Shut Down Server Processes option in the Action menu.

  1. Select the package for which you want to enable security.
  2. Go to the security tab and select the Authorization checking enabled checkbox.
  3. Stop the System Package server process by selecting that package, right-clicking, and choosing the Shut Down option.

After you install and configure your package on the deployment server, you may want to lock your package so that component configurations cannot be modified. Refer to the Locking Your Package topic for more information about locking your package configuration.

See Also

System Package, Roles Folder, Users Folder, Role Membership Folder, Managing Users for MTS Roles, Microsoft Transaction Server Programmer's Guide