Configuring Transaction Server

In the previous section of this chapter we've seen how MTS can impersonate users of the application by presenting a different NT account to the components or services it accesses. This isn’t mandatory however—you can use MTS with this feature disabled and rely on the traditional method of each resource identifying the original user via NT's security manager. In fact this is the default setting for MTS.

MTS also offers a third way of managing users and controlling access to other resources. This takes advantage of the ability of MTS to identify the original user through methods of the

ObjectContext

object created for each component. To use this technique you write code within the component to retrieve information about the original user, and hence you can change the behavior of the component based on the user. So, we have three situations to consider:

Traditional configuration and user access control through individual Windows NT accounts. These can be separate user accounts, accounts that are mapped to one or more NT accounts through certificates, or the anonymous IUSR account.
Package-level and component-level access control through roles defined for each package and/or component. This is termed declarative security.
Component-level access control using code within a component. This is referred to as programmatic security, and can be combined with declarative security to provide the most flexible solutions.