Troubleshooting Security Settings
In Connected Services Framework there are two main areas of security: Connected Services Framework component security and Web Services Enhancements (WSE) security. Here we will cover Connected Services Framework component security.
Component security is generally implemented in two ways: Explicit role check and Delegated role check. An explicit role check uses the credentials of the user in the message. A Delegated role check uses the credentials of the user in the message or the identity of the component itself to perform some sort of activity that does a security check—the security check is delegated to the underlying component.
Explicit role check. These are done directly by the component against the credentials of the user in the inbound message. For example, the Session validates that the user creating a Session is a part of a specific Microsoft Active Directory® group. These role checks are specific per component, so consult the documentation for each component to get a list of required roles.Delegated role check. These checks are performed on credentials when the Connected Services Framework uses some other component that has implemented security—for example, accessing data in the database. All the Connected Services Framework tables and stored procedures require the user be a member of a specific role. When Session is accessing the database, it will use the credentials of the service it is running under in IIS as its identity. If the Session identity user is not given access to the appropriate database objects, it will not be able to access the database and an exception will be generated. Identity Manager has a similar approach when dealing with Active Directory. The credentials of the user making the request will be used when accessing Active Directory, and if that user is not allowed to perform that operation an error will result.