The Tsecurity system provides two major functions to the client: authentication and authorization. Authentication refers to the process of verifying that a user is who he claims to be, that is, verifying the password for a given user.  Authorization refers to determining what privileges should be afforded to a given user.

In terms of authentication, Tsecurity provides a number of functions for authenticating a user, checking that the password is valid and has not expired, and changing the password for a given user.  In terms of authorization, Tsecurity provides the concept of a Tsecurity Application for defining classes of privileges and associating those privileges with selected sets of domain users and domain user groups. In both cases, Tsecurity clients connect across the network to a Tsecurity host service and remotely calls functions through the host service.

User authentication through the Tsecurity system has been designed to provide the optimal degree of freedom, flexibility, and, above all, reliability.  Because authentication through the Active Directory server depends on network connectivity, which may be slow or even broken, the Tsecurity system implements a caching system for user credentials and information.  This caching system allows for very fast response to authentication requests and reliability even when the connection to the Active Directory server is down, but at the same time minimizes the possibility of errors in authentication.

User authentication in Tsecurity involves two separate threads.  The primary thread (Thread A) is responsible for the following items:

• Enforcing user-defined timeouts on the network calls used in the second thread.

• Checking for user credentials in the local cache file.

• Ultimately returning the authentication success or failure indication to the client.

The secondary thread (Thread B) is responsible for the following items:

• Authenticating the username and password against the local host (for local users) or against the Active Directory (for domain users).

• Updating the local cache file with the latest known user credentials.

Though the local cache file is an XML ASCII text file, private user information is stored in a hashed format to keep private information such as the user password secure.

Following is a flow chart of the sequence of events during authentication:

Further information about the various timeout periods described in the above flow chart can be found in the Tsecurity Service Configuration [LINK] section of this manual.

Simply put, a Tsecurity Application is merely the definition of the associations between various domain members and the special subset of privileges that they are given. The term application in this sense does not necessarily refer to a single executable program; although it may be the case that the Tsecurity Application only governs a single executable program, it is better to think of a Tsecurity Application more generally as a set of rules used by a piece of software to control access to itself.

As an example, consider a group of custom-built screens for a rolling mill control system.  The system owner would want his mill operators to be able to control the schedule through the Preset screen.  Maintenance personnel would also be able to adjust the schedule, but should additionally be able to run various tests from the Diagnostics screen.  And above all, engineers should be given rights to both the Preset and Diagnostic screens, as well as being able to adjust any system tuning parameters from the Tuning screen.

Following are definitions of some key terms used within a Tsecurity Application:

• A privilege is a single right that can be given to an application user.

• A domain member is refers to either a user defined on a domain or a group of users defined on a domain.  A domain can be either the local domain or an Active Directory.  The names of domain members are specified in a domain\username format.

• An application privilege class, or more simply a privilege class, is the combination of a group of privileges with a group of domain members.  Each of the domain members contained in a privilege class are given each of the privileges associated with that privilege class.  A privilege class exists only within the definition of a Tsecurity Application.

Continuing the rolling mill example from above:

In order to manage security for the rolling mill applications, the system owner would define a Tsecurity Application named RollingMillScreens.  Within this application there would be three privilege classes defined: Operators, Maintenance, and Engineers.  In addition, there would be three privileges defined: ModifyPreset, RunDiagnostics, and TuneSystem.  Privileges would be assigned to application privilege classes as follows:

Once the privilege classes and associated privileges have been defined, the system owner would need to add domain members to each of the appropriate privilege classes.  For instance, Joe the Operator would be added to the list of members of the Operators group, Jane the Maintenance Tech would be added to the list of members of the Maintenance group, and Bob the Engineer would be added to the list of members of the Engineers group. 

Alternatively, if there is an Active Directory group already defined that contains of all engineers for the rolling mill, this AD group could be added to the Engineers application privilege class in the RollingMillScreens Tsecurity application and any domain user contained in that group in the Active Directory would be given all three of the above rights specified for the Engineers application privilege class.

This complete set of information, including the privileges, application privilege classes, domain members, and each of their interrelationships, comprises a Tsecurity Application. The definition for each Tsecurity Application is stored on the host in a separate XML file called an Application Security Configuration File (ASCF).  These are described in detail in Application Security Configuration Files [LINK].

It is important to point out that under the Tsecurity framework the Tsecurity system itself is not responsible for preventing unwanted access to resources; rather it is a tool that allows other custom software to quickly, easily, and reliably determine if a given user should be provided access to some resource within that custom software.  Given that a Tsecurity Application is merely a definition of user access rules within a set of software, it is important to realize that the software itself is ultimately responsible for managing its own the security.

Generally speaking, a custom Tsecurity client would use Tsecurity in the following fashion:

1. The custom client queries the user for his username, domain, and password.

2. The client makes a call into the Tsecurity system to authenticate this username, domain, and password.

3. The Tsecurity system responds, indicating whether or not the password is correct.

4. If the password is not correct, the client denies the user access and requires a valid login.  If the password is correct, the client then makes a second call to the Tsecurity system to retrieve the list of privileges provided to this user within a given Tsecurity Application.  This Tsecurity Application must already be defined on the Tsecurity system.

5. The Tsecurity system then responds with either the appropriate list of privileges or an indication that the supplied user does not have any rights to the Tsecurity Application.

6. The client then uses the returned list of user privileges to modify its behavior accordingly.  For instance, it may enable or disable various displays and inputs depending on whether or not the user has rights to those resources.

Tsecurity Applications are configured and modified using an application called the ASCFEditor.  The ASCFEditor is itself a client to the Tsecurity system; when a user executes the ASCFEditor, it requires that the user first authenticate with a username, domain, and password before it allows him to make changes to a specified Tsecurity Application configuration.  A given user can only modify a Tsecurity Application configuration if he is specified as an owner of that application.  A single Tsecurity Application may have only one or may have many different owners that have rights to change the Tsecurity Application configuration.

By default, there is one special Tsecurity Application named Tsecurity; this is the Tsecurity Application that the ASCFEditor uses to determine the security rules that it must follow. In particular, owners of the Tsecurity Tsecurity Application are deemed Tsecurity administrators.  These users have the rights within the ASCFEditor to create new Tsecurity Applications and specify which users are owners of which Tsecurity Applications.

Within the Tsecurity Application environment, each individual privilege is assigned to a single bit within a 64-bit integer.  Consequently, the entire set of privileges granted to a user can be represented as a single 64-bit integer corresponding to the bitwise-OR of each of the individual privileges assigned to that user.  This 64-bit integer is called the Security Access Key (SAK) for that user. 

In the rolling mill example provided above, for instance, the privileges may be assigned bits as follows:

The SAK for each privilege class would therefore be the bitwise-OR of the bitmasks corresponding to each of the privileges granted to that privilege class.  As a result, the SAK for each privilege class would be as follows:

The highest-order bit of the SAK is reserved to indicate an error.  Consequently, there is a maximum of 63 distinct privileges that can be specified in a Tsecurity Application

Generally speaking, when a Tsecurity client wishes to retrieve the SAK for a specified user within a given Tsecurity Application, the Tsecurity host must perform the following steps:

1. Find all privilege classes of which the specified user is a member.

2. Bitwise-OR the SAKs specified for each of these privilege classes into a composite 64-bit SAK for the user.

3. Return this composite SAK and the associated privilege names to the calling client.

In the simplest Tsecurity Applications, where all of the domain members of all of the privilege classes listed in the Tsecurity Application definition are actual domain users, the first step above is quite simple.  In this case all application privilege class memberships are explicitly specified in the Tsecurity Application definition. 

Using the above example, privilege class membership for a Tsecurity Application may be specified as follows:

Consequently, when a Tsecurity client requests the SAK for Joe the Operator, the Tsecurity host can very quickly determine that Joe is only a member of the Operators application privilege class and return the appropriate SAK.

However, consider a more complicated Tsecurity Application, which in addition to explicitly specifying Windows users as members of its application privilege classes, also specifies an entire Active Directory user group as a member of one of its application privilege classes.  In this case, in order to evaluate application privilege class membership for a specified domain user, the Tsecurity host must query the Active Directory to determine group membership within the Active Directory.  Depending on network connectivity and availability, this query may be relatively quick (~1 second) or it may take quite a while to complete or time out.

Following from the above example, suppose all domain engineers were also specified as members of the Engineers application privilege class:

In this case, when a Tsecurity client requests the SAK for Joe the Operator, the Tsecurity host knows immediately that Joe is a member of the Operators application privilege class, but the Tsecurity host must also query the Active Directory to determine if Joe is also a member of the MyDomain\DomainEngineersGroup domain user group.

Because specifying domain groups in a Tsecurity Application definition will significantly slow SAK retrieval for all users for that Tsecurity Application, a special flag is provided for each user listed in a Tsecurity Application definition to specify how his SAK should be calculated. This flag is defined as:

• ExplicitMembershipOnly = True (Default)
  The user’s SAK should be calculated based only on the application privilege class memberships explicitly specified by the Tsecurity Application definition.

In the example above, if this flag is set true for Joe the Operator and a request is made to retrieve his SAK, the Tsecurity host would only indicate that he is a member of the Operators application privilege class.

• ExplicitMembershipOnly = False
  The Active Directory should be queried to find all domain group memberships before determining membership for the various application privilege classes.

In the example above, if this flag is set false for Joe the Operator and a request is made to retrieve his SAK, the Tsecurity host would take the time to query the Active Directory to determine if he is also a member of the MyDomain\Domain Engineers Group before calculating his SAK.

Flow chart for evaluating user SAKs

The Tsecurity system comes in two different installation packages.  First, Tsecurity is included as an integrated piece of a full TSENTRY installation.  Alternatively, Tsecurity can be installed as a standalone package.  However, both the standalone version of Tsecurity and the integrated version installed with TSENTRY cannot both be installed on the same system at the same time.  If a host must be converted from a TSENTRY system to a plain Tsecurity host, or vice versa, the original software should first be uninstalled before installing the new version.  In either case, the latest installation files can be obtained from the support section of the TSENTRY web site: http://www.tsentry.com.

Once Tsecurity has been installed (either as part of a TSENTRY installation or as a standalone package) there are two additional steps that must be completed before the system will be fully operational:

1. Use the TsecurityCfg [LINK] application to setup and configure the Tsecurity service.

2. Use the ASCFEditor [LINK] to create and configure a Tsecurity application.

Tsecurity can be installed on any system, workstation or server, domain member or standalone; however, there are a number of special considerations that must be taken into account for the installation process to succeed.

1. In order to allow the installation process to make required system changes, the installer should only be executed by a user with administrative privileges.

2. The installation of Tsecurity will create and configure a local user named Tsentry and attempt to give this user the right to log on as a service.  However, if the Tsecurity host is a member of a domain, there may be some issues with granting this right.  In particular, some domains explicitly manage the Log on as a Service right.  In this case, while the installer process can temporarily grant the local Tsentry user the right to Log on as a Service, the next time that the system is restarted this user will have this right revoked.  Consequently the Tsecurity service will be unable to start.

In this case there are several options:

• Move the Tsecurity installation to a different system that is either not a member of a domain or is a member of a domain that does not manage the Log on as a Service right.

• Modify the domain security policy to explicitly add the Tsentry user by name (e.g. “Tsentry”) to the list of users given this right on the domain controller.  This step must be manually performed by a domain administrator.  Note that configuring the system in this way means that any system in the domain that defines a local user named Tsentry will allow that user to start services.

• Add the Tsentry user to a local group that is already listed as having the right to Log on as a Service on the domain controller.  For instance, frequently local administrators are given the right to Log on as a Service; adding the local Tsentry user to the local Administrators group will therefore give him the right to start the Tsecurity service. 

The installation process should install the following folders under the installation path on the Tsecurity host system:

The installation process registers the Tsecurity service on the local host.  This service is configured to automatically start with Windows and executes under the Tsentry account, which is a local account on the Tsecurity host also created by the installation process.

This service is described in more detail in the Tsecurity Service [LINK] section.

The following registry changes are made by the installation process:

Application Security Configuration Files (ASCF) are XML files that specify the rules for a given Tsecurity Application.  Each Tsecurity Application is defined by a separate file stored in the ASCF directory, whose location is specified in the registry.

Within the root <ASCF> element of the ASCF XML file, there are three types of records allowed.  These are defined below:

<Owner>
Specifies an owner of this Tsecurity Application.

<Name>
Specifies the name of the owner, specified in Domain\Username format.  This must be a valid Windows user existing either on the local host or in the Active Directory.
</Name>
</Owner>

<Privilege>
Defines a privilege in this Tsecurity Application.

<Name>
Specifies the name of the privilege.
</Name>

<Bit>
Specifies the bit index of the privilege (0-62).
</Bit>
</Privilege>

<PrivilegeClass>
Defines an application privilege class in this Tsecurity Application.

<Name>
Specifies the name of the application privilege class.
</Name>

<Privilege>
Specifies the name of a privilege that is granted to all users in this application privilege class.
</Privilege>

<ExplicitSAK>
Specifies the explicit SAK associated with this application privilege class.  This key is kept only for backwards compatibility with older ASCF’s that do not specify named privileges.
</ExplicitSAK>
</PrivilegeClass>

<DomainMember>
Specifies a domain member (domain user or user group) referenced in this Tsecurity Application.

<Name>
Specifies the name of the user, specified in Domain\Username format.  This must be a valid Windows user or a valid Windows user group existing either on the local host or in the Active Directory.
</Name>

<Type>
Specifies whether this <User> corresponds to a Windows user (User) or a Windows user group (Group).
</Type>

<ExplicitMembershipOnly>
Boolean flag indicating how the SAK for this user should be calculated.  For more details refer to the Evaluating User SAKs section under Tsecurity Fundamentals.
</ExplicitMembershipOnly>

<MemberOf>
Specifies an application privilege class of which this user or user group is a member.  There may be multiple <MemberOf> entries specified for each <User>.
</MemberOf>
</DomainMember>

Following is a sample ASCF corresponding to the example Tsecurity Application described in the documentation:

<ASCF>
  <Owner>
    <Name>MyDomain\Sam the Owner</Name>
  </Owner>
  <Owner>
    <Name>MyDomain\Bob the Engineer</Name>
  </Owner>

  <Privilege>
    <Name>OperPriv</Name>
    <Bit>0</Bit>
  </Privilege>

  <Privilege>
    <Name>MaintPriv</Name>
    <Bit>1</Bit>
  </Privilege>

  <Privilege>
    <Name>EngPriv</Name>
    <Bit>2</Bit>
  </Privilege>

  <Privilege>
    <Name>ModifyRpsRule</Name>
    <Bit>25</Bit>
  </Privilege>

  <Privilege>
    <Name>ModifyTrigger</Name>
    <Bit>26</Bit>
  </Privilege>

  <Privilege>
    <Name>ModifyDataSet</Name>
    <Bit>27</Bit>
  </Privilege>

  <Privilege>
    <Name>EditProcess</Name>
    <Bit>28</Bit>
  </Privilege>

  <Privilege>
    <Name>ControlProcess</Name>
    <Bit>29</Bit>
  </Privilege>

  <Privilege>
    <Name>ProbeWrite</Name>
    <Bit>30</Bit>
  </Privilege>

  <PrivilegeClass>
    <Name>Operators</Name>
    <Privilege>OperPriv</Privilege>
  </PrivilegeClass>

  <PrivilegeClass>
    <Name>Maintenance</Name>
    <Privilege>MaintPriv</Privilege>
  </PrivilegeClass>

  <PrivilegeClass>
    <Name>Engineers</Name>
    <Privilege>OperPriv</Privilege>
    <Privilege>EngPriv</Privilege>
    <Privilege>MaintPriv</Privilege>
    <Privilege>ControlProcess</Privilege>
    <Privilege>EditProcess</Privilege>
    <Privilege>ModifyDataSet</Privilege>
    <Privilege>ModifyRpsRule</Privilege>
    <Privilege>ModifyTrigger</Privilege>
    <Privilege>ProbeWrite</Privilege>
  </PrivilegeClass>

  <DomainMember>
    <Name>MyDomain\Joe the Operator</Name>
    <Type>User</Type>
    <ExplicitMembershipOnly>True</ExplicitMembershipOnly>
    <MemberOf>Operators</MemberOf>
  </DomainMember>

  <DomainMember>
    <Name>MyDomain\Jane the Maintenance Tech</Name>
    <Type>User</Type>
    <ExplicitMembershipOnly>True</ExplicitMembershipOnly>
    <MemberOf>Maintenance</MemberOf>
  </DomainMember>

  <DomainMember>
    <Name>MyDomain\Bob the Engineer</Name>
    <Type>User</Type>
    <ExplicitMembershipOnly>True</ExplicitMembershipOnly>
    <MemberOf>Engineers</MemberOf>
  </DomainMember>

  <DomainMember>
    <Name>MyDomain\Domain Engineers Group</Name>
    <Type>Group</Type>
    <ExplicitMembershipOnly>False</ExplicitMembershipOnly>
    <MemberOf>Engineers</MemberOf>
  </DomainMember>
</ASCF>

The Tsecurity service is a process that runs on the Tsecurity host to handle requests from Tsecurity clients across the network.  This process is registered as a Windows service executing as the Tsentry user, which is created upon installation of the Tsecurity package.  Though the Tsentry user is created as an administrative user on the local host, it does not have rights to log on remotely and thus does not pose a significant security issue.  The Tsecurity service itself acts as a TCP .NET Remoting server to receive requests from Tsecurity clients.

Because it runs as a service, this process logs any sequencing or error messages to the Windows Application Event Log.  The detail of messages logged is controlled by a debug level setting in the configuration file for the Tsecurity service; the higher the debug level, the more detail is logged to the event log.

The binary executable file for the Tsecurity service is named Tsecurity.exe and is located in the \bin\ subdirectory beneath the Tsecurity installation path.

The Tsecurity service is fully configurable via a configuration file named Tsecurity.exe.config located in the same directory as the Tsecurity service binary executable.  This is an XML file consistent with the application config file format specified by Microsoft .NET applications.

For detailed information about the configuration of the Tsecurity service, refer to the TsecurityCfg [LINK] section of this manual.

Following is a sample Tsecurity.config file:

<?xml version="1.0" encoding="Windows-1252"?>
<!-- Configuration file for Tsecurity Service -->
<configuration>
  
  <configSections>
    <!-- Do not edit this section -->
    <section name="TsecuritySettings"
     type="TPRI.Tsecurity.TsecuritySettingsSectionHandler,TPRI.Tsecurity" />
    <section name="TsecurityDomains"
     type="TPRI.Tsecurity.TsecurityDomainsSectionHandler,TPRI.Tsecurity" />
  </configSections>
    
  <appSettings>
  </appSettings>

  <TsecuritySettings>

    <!-- ASCF folder path -->
    <add key="ASCFFolder" value="D:\tpriNtRt\Tsecurity\ASCF" />

    <!-- Port number for TCP listener -->
    <add key="PortNumber" value="8080" />

    <!-- Debug level for Event logging -->
    <add key="DebugLevel" value="30" />

    <!-- Maximum time (in milliseconds) to wait before timing out
         authentication requests -->
    <add key="AuthenticationTimeout" value="20000" />

    <!-- Amount of time (in milliseconds) to delay before deferring
         authentication requests to the info stored in the user cache -->
    <add key="UserCacheDelayPeriod" value="0" />

    <!-- Amount of time (in minutes) after user info in the
         cache file has been verified before it should be
         verified again -->
    <add key="UserCacheVerifiedPeriod" value="10" />

    <!-- Expire time (in minutes) for user info in the cache file -->
    <add key="UserCacheExpiredPeriod" value="1440" />

    <!-- Wait time (in milliseconds) to allow executing directory 
         operations to finish before timing out pending operations -->
    <add key="DirectoryMutexTimeout" value="30000" />

    <!-- Browse user ID and password for specified domains -->
    <browseUser Domain="MYDOMAIN1" UserID="MYDOMAIN1\MyUser1"
     Password="44913F40A6806B9719B52B670731704685056EE4B60B8598" />

  </TsecuritySettings>
   
  <TsecurityDomains>
    <!-- If enabled, always include any domains listed in the -->
    <!-- 'AlwaysInclude' section below in the list of domains -->
    <!-- presented to the user.  The first domain marked with -->
    <!-- 'default=true', if any, will be the one initially    -->
    <!-- selected for the user.                               -->
    <AlwaysInclude enable="True">
      <domain name="DOMAIN1" default="True" />
      <domain name="DOMAIN2" />
    </AlwaysInclude>

    <!-- If enabled, filter the list of available domains so that    -->
    <!-- it includes only those listed in the 'FilterAvailable'      -->
    <!-- section (in addition to the 'AlwaysInclude' domains above). -->
    <!-- The first domain marked with 'default=true', if any, AND    -->
    <!-- found in the list of available domains, will be the one     -->
    <!-- initially selected for the user (assuming no domain in the  -->
    <!-- 'AlwaysInclude' list is also marked as the default).        -->
    <FilterAvailable enable="False">
      <domain name="DOMAIN2" default="True" />
      <domain name="DOMAIN5" />
    </FilterAvailable>
  </TsecurityDomains>

</configuration>

The TsecurityCfg application is used to configure the Tsecurity service.  It presents a set of tabbed pages containing the various options and parameters that define how the Tsecurity service operates.  Because TsecurityCfg has complete control over how the Tsecurity system operates, access to this application should be limited exclusively to Tsecurity administrators.

The main portion of the TsecurityCfg display is a set of tabbed pages, one page for each category of Tsecurity-related configuration parameters.  Each of these pages is described below.

System parameters define general operation of the Tsecurity system. 

The following system parameters can be modified from this page:

Each of these parameters is stored in the <TsecuritySettings> section of the Tsecurity.exe.config file.

Timing parameters define the various delays, intervals, and timeouts used during authentication and authorization by the Tsecurity system. 

The following timing parameters can be modified from this page:

Each of these parameters is stored in the <TsecuritySettings> section of the Tsecurity.exe.config file.

The Domains page allows the system administrator to customize which domains are returned by the Tsecurity service in the list of domains available for login.

Normally, the Tsecurity service returns the list of all domains that can be reached by the Tsecurity service; however, this list may be long and unwieldy and include domains to which a given application does not want users to authenticate.  Consequently there are a couple options for filtering this list so that only selected domains are returned.

Always Include

If the Enabled flag is checked, domains listed in the Always Include will always be returned in the list of domains available for login, regardless of whether or not the Tsecurity system can reach those domains.  The first domain marked as default, if any, will be initially selected as the default login domain. 

If the Enabled flag is left unchecked, this list will not have any effect on the list of returned domains.

Filter Available

If the Enabled flag is checked, the list of available domains discovered by the Tsecurity system is filtered so that the returned list includes only those that are listed in the Filter Available list (in addition to the Always Include domains above).  The first domain in this list marked as default, if any, and also found in the list of available domains, will be initially selected for the user (assuming no domain in the 'AlwaysInclude' list is also marked as default).

If the Enabled flag is left unchecked, the list of discovered domains will be returned in full.

For example, suppose that three domains are discovered by the Tsecurity service, DOMAIN1, DOMAIN2, and DOMAIN3.  In addition, assume that the Always Include and Filter Available lists are configured as shown in the following table:

Given the above lists, the table below illustrates which domains will be returned from the Tsecurity service depending on which of the above two lists are enabled.

In both of these lists, the checkbox is used to indicate which domain is marked as default.

For the Tsecurity service the domain configuration lists are stored in the <TsecurityDomains> subnode in the <TsecuritySettings> section of the Tsecurity.exe.config file.

The Browse Users page is used to specify credentials that can be used to browse the active directory structure.  These users are only required in certain situations as described below.

The Under normal circumstances, when a client wishes to retrieve the SAK for a given user from a Tsecurity host the client must provide the user’s password.  This password is required if all of the following circumstances are true:

• Domain user groups are listed as members of one or more of the application privilege classes for the Tsecurity Applications.

• The user is either not explicitly listed in the Tsecurity application configuration or the user is defined with the ExplicitMembershipOnly parameter set to false. 

• The user is not a local user defined on the Tsecurity host system.

In this situation the Tsecurity host must query the Active Directory to retrieve the list of groups in which the user is either explicitly or implicitly (via nested groups) a member.  In order to gain access to the Active Directory the Tsecurity host must have a valid set of credentials.  Hence, the Tsecurity host uses the credentials of the user himself to gain access.

However, there are cases where the client wishes to retrieve the SAK for a user for whom it does not have the password.  In this case the client passes an invalid reference (NULL in C/C++ or Nothing in VB.NET) for the password.  Still, though, the Tsecurity host must have a valid set of credentials to use while querying the Active Directory.  Consequently, the Tsecurity host must be provided a set of credentials for a browse user in each of the domains in which the host must locate users without a password passed from the client.  Only one browse user can be specified for each domain, though a single browse user can be specified for multiple domains.  The browse user need not actually be a member of the domain, though he must have browse rights to that domain.

The browse user credentials are stored in the <TsecuritySettings> section of the Tsecurity.exe.config file.  Passwords are encrypted so that they are not stored in plain text.

The Tsecurity Administrators page is used to define the list of Tsecurity Administrators for the Tsecurity host.

As described in the Managing Security Applications [LINK] section, a Tsecurity Administrator has full control of the Tsecurity system.  Only a Tsecurity Administrator has the ability to create and destroy Tsecurity Applications and is responsible for specifying the owners of individual Tsecurity Applications.

The name of each Tsecurity Administrator is listed as an owner of the special Tsecurity Tsecurity Application, which is stored in the Tsecurity.xml file in the ASCF folder specified on the System Parameters page.

The ASCFEditor is an application for Tsecurity Application owners and the Tsecurity administrator to use to create, modify, and delete Tsecurity Applications configured on Tsecurity hosts.  It is a VB.NET Forms application that acts as a client to the Tsecurity host service; it connects via .NET Remoting to the desired Tsecurity host to query for Tsecurity Application configurations and update them accordingly.

Upon starting the ASCFEditor, the user is presented with the Login screen. 

First, the user must specify the Tsecurity host and port number to which he would like to connect.  Once he has entered or chosen the host and port number, clicking on the Connect button will attempt to connect to the Tsecurity service running on the specified host.

Once connected, the user will need to authenticate to the Tsecurity host.  Valid users are any Tsecurity Application owners or the Tsecurity Administrator (specified as the owner of the special Tsecurity Tsecurity Application). Clicking on the Login button will attempt to authenticate the user on the host.

If the user is successfully authenticated and is either a Tsecurity Application owner or the Tsecurity Administrator, he will be presented with the ASCF Editor screen.

The ASCF Editor screen displays all Tsecurity Applications owned by the currently logged in user (or all Tsecurity Applications configured on the host, in the case of the Tsecurity Administrator). 

The display uses a tree format to present all of the configuration parameters for each of the Tsecurity Applications.  This format both provides the user with a complete view of all of the Tsecurity Applications as well as allowing him to drill down to any configuration parameter he wishes to view. 

Effectively this is simply a visual front end for displaying and modifying data and parameters contained in Application Security Configuration Files (ASCF); for more information about these parameters refer to the Application Security Configuration Files section.

Each of the root nodes in the tree corresponds to an individual Tsecurity Application (and corresponding ASCF) owned by the current user.  Beneath each root ASCF node are three subnodes:

In addition, the tree indicates all cross-links between objects in the Tsecurity Application configuration.  For instance, if a user is associated with a particular application privilege class, that user will be listed under the Domain Members for the application privilege class, and also the application privilege class will be listed under the Application Privilege Class Memberships for the domain member. 

Modifying a Tsecurity Application Configuration

Most simple changes to a configuration, such as changing the Explicit SAK associated with a given application privilege class, can be made simply by left-clicking on a parameter value.  The parameter value itself will become an editable field, which the user can modify appropriately.

More complicated configuration changes, such as configuring a user for a Tsecurity Application, as well as many more options, are available by right-clicking at various locations within the display.  Depending on where the user right-clicks, a context-dependent menu is presented with a variety of options.

Each of the available menu options is described in the following table.

Find and Select User or Group Form

The Find and Select User or Group form is used to help locate directory objects for adding user accounts and user groups to Tsecurity Applications.  This form is analogous to the native tools provided by Windows for managing users and groups within its own security infrastructure.

The very top portion of the form provides an entry box for the ID and full name of the desired directory object and a set of options to define how this object should be treated, i.e. as a directory user or as a user group defined on the directory.  Once the appropriate choices have been specified, the Accept button can be pressed to make the changes to the application configuration and close the form.  Alternatively, the Cancel button can be pressed to cancel any choices and leave the configuration unchanged.

In order to help eliminate typing mistakes, the middle section of this form provides a set of controls for searching for existing users and user groups either on the local Tsecurity host or in the Active Directory.  This tool is used as follows:

1. First, in the Credentials for Directory Access box the user must supply credentials for searching through the directory.  These credentials must correspond to a user with browse rights for the desired search domain.

2. Next, in the Search for Users and Groups box the user must specify the domain to be searched.  This is a drop-down display of all of the domains to which the Tsecurity host has access.  In addition, a search name filter can be specified to help speed the search results; only users and groups that begin with this string will be returned.  A blank search name filter will return all users and groups found in the specified domain.  Note that searching without a filter in very large domains can be very time consuming, so specifying a search filter is highly recommended.

3. Finally, the user should click the Find Now button to initiate a search.  If the search takes too long the user may click the Stop button to cancel the search and reconfigure a new one.

Below the search configuration section is a list box to display the results of the search.  Once the search has completed the results will be displayed here. 

Single clicking on an entry in the results list will display the selection at the top of the form, including the name of the user account or user group and the selection as to whether this object should be treated as a user account or a user group.  The user can then click on the Accept button to make the selection official and close the form.  Alternatively, simply double clicking on an entry in the results list will automatically accept the selection and similarly close the form.

Note that if the Find and Select User or Group form was invoked to choose an owner for a Tsecurity Application, only user accounts will be displayed in the search results and the option to identify the selected object as a user group will be disabled.  This is because Tsecurity Application owners must be individual user accounts; they cannot be user groups.

Adding Privileges to Application Privilege Classes and Vice Versa

Once an application security group has been created in a Tsecurity Application, and a privilege has been added to the same Tsecurity Application, an association can be made between the two.  Right-clicking on an application privilege class presents the Select Privileges for Privilege Class option in the displayed context-dependent menu.  Choosing this option invokes the Select Membership form, which allows the user to make the desired selections simply by checking and unchecking memberships as desired.

Pressing the Accept button makes any changes to the memberships official, while pressing the Cancel button cancels any changes made within this form.

Alternatively, a privilege can be associated with an application privilege class simply by dragging and dropping one object over the other within the tree view of the Tsecurity Application: left-click-and-hold on the privilege name and move the mouse up over the desired application privilege class.  Releasing the left mouse button will drop the privilege into the application privilege class so that it is now listed as one of the Privileges for that application privilege class. 

Adding Domain Members to Application Privilege Classes and Vice Versa

Once an application security group has been created in a Tsecurity Application, and a user has been added to the same Tsecurity Application, an association can be made between the two in several different ways.  First, right-clicking on an application privilege class or on an application user presents the Select Domain Members for Privilege Class and Select Privilege Classes for Domain Member options, respectively, in the displayed context-dependent menu.  Choosing either of these options invokes the Select Membership form, which allows the user to make the desired selections simply by checking and unchecking memberships as desired.

Pressing the Accept button makes any changes to the memberships official, while pressing the Cancel button cancels any changes made within this form.

Alternatively, a domain member can be associated with an application privilege class simply by dragging and dropping one object over the other within the tree view of the Tsecurity Application. 

To add a domain member to an application privilege class left-click-and-hold on the domain member name and move the mouse up over the desired application privilege class.  Releasing the left mouse button will drop the domain member into the application privilege class so that he is now listed as one of the Domain Members for that application privilege class.  At the same time, the application privilege class will be automatically added to the list of Application Privilege Class Memberships for the user object.

By the same token, to add an application privilege class membership to a given domain member, left-click-and-hold on the application privilege class name and move the mouse down over the desired domain member. Releasing the left mouse button will drop the application privilege class into the domain member so that it is now added to the list of Application Privilege Class Memberships for the domain member.  At the same time the domain member will be automatically added to the list of Domain Members for the privilege class.

Retrieving Security Access Keys and the Authenticate User Form

Once a domain member and an application privilege class have been associated with one another, the association can be tested by right-clicking on the user name and choosing the Get Security Access Key menu item. If the user object corresponds to a real user account (Object Type is specified as User), and that user is configured to use explicit membership specified in the ASCF only when calculating his SAK (the Use Explicit Membership Only flag is set to True), the SAK can be calculated directly.

If the selected user object corresponds to a real user account, but rather than only using explicit membership in the ASCF, it is configured to use implicit membership in domain groups when calculating his SAK (i.e., the Use Explicit Membership Only flag is set to False), then the Authenticate User form will be displayed to query how the SAK should be calculated. 

In this case, the password for this user must be supplied to access the group membership in the directory.  This is because the Tsecurity host does not necessarily have the credentials necessary to browse the directory for this information.  Alternatively, if the Do Not Supply Password box is checked, the Tsecurity host will be instructed to check Active Directory group membership using the any available domain browse accounts that it has been configured to use.  Refer to the[LINK] Tsecurity Service Configuration section for more information about configuring the Tsecurity host to use domain browse accounts.

In all other circumstances choosing the Get Security Access Key menu item allows the SAK to be retrieved for any arbitrary user.  In this situation the Authenticate User form is displayed to retrieve the user name, password, and domain.

Saving a Tsecurity Application Configuration

Any time a Tsecurity Application has been modified, it must be saved back to the host before the changes will be made official. If a Tsecurity Application has been modified but not yet saved, its name is displayed followed by an asterisk (*).  A Tsecurity Application can be saved to the host by right-clicking on the Tsecurity Application name and selecting the Save Application menu item.

The following sequence demonstrates the creation of a simple new Tsecurity Application from scratch.  In this example it is assumed that two users, MyOwner and MyUser, exist in the domain MyDomain, and that MyUser is a member of the MyDomain group MyGroup.  To replicate this example on your system, please replace MyOwner, MyUser, MyDomain, and MyGroup with appropriate values for your system configuration.

The example Tsecurity Application created below is owned by the domain user MyDomain\MyOwner.  It consists of two application privilege classes, Operators and Maintenance.  It specifies a domain user MyDomain\MyUser as a member of the Operators application privilege class and a domain group MyDomain\MyGroup as a member of the Maintenance application privilege class.

This example further demonstrates how Security Access Keys are calculated under various configuration scenarios, including explicit and implicit privilege class membership.

1. Start the ASCFEditor, connect to a Tsecurity host, and log in as the Tsecurity Administrator.

2. Create a new Tsecurity Application as follows:

   1. In the ASCF Editor Screen, right click and choose the New Application menu item.

   2. Single-left-click on the newly created application, wait for the application name to become editable, and modify it to read ExampleASCF.

3. Configure the domain user MyDomain\MyOwner as an owner for the new Tsecurity Application as follows:

   1. Right click on the Application Owners label and choose the Add Owner menu item.  This will display the Find and Select User or Group form.

      1. Select MyDomain as the search domain from the dropdown box, enter appropriate credentials for browsing that domain (e.g. the user MyDomain\MyOwner and his password), and click the Find Now button.

      2. Once the results have been displayed, find and double click on the MyOwner user account.

   2. The selected user account MyDomain\MyOwner should now be added to the list of Application Owners for this Tsecurity Application.  At this point, you may either save the application and log back in as this user (since he will then have write access to this Tsecurity Application as one of the registered owners) or continue to act as the Tsecurity Administrator.

4. Create a new privilege for this Tsecurity Application as follows:

   1. Right click on the Application Privilege Bits and choose the Edit Privileges menu item.  This will display the Configure Application Privileges dialog.

   2. Single-left-click in the first row in the Configure Application Privileges dialog directly below the Name header, wait for the value to become editable, and modify it to read OperPriv.

5. Create a new application privilege class for this Tsecurity Application as follows:

   1. Right click on the Application Privilege Classes and choose the New Privilege Class menu item.  This will add a privilege class to the list.

   2. Single-left-click on the new application privilege class name, wait for the privilege class name to become editable, and modify it to read Operators.

6. Associate the OperPriv privilege with the Operators application privilege class as follows:

   1. Expand both the Application Privilege Bits and the Application Privilege Classes nodes.

   2. Single-left-click-and-hold on the OperPriv privilege, drag it down over the Operators privilege class, then release the left mouse button.

7. Add the MyDomain\MyUser domain member to this Tsecurity Application as follows:

   1. Right click on the Domain Members label and choose the Add Domain Member menu item.  This will display the Find and Select User or Group form.

      1. In the Credentials for Directory Access groupbox enter appropriate credentials for browsing the MyDomain domain.

      2. In the Search for Users and Groups groupbox, select MyDomain in the Domain dropdown box.

      3. Click the Find Now button.

      4. Once the results have been displayed, find the MyUser user account and make sure that the icon displayed with indicates that it is an individual user account and not a user group.

      5. Double click on the MyUser user account to accept it as the selection.

   2. The MyDomain\MyUser user account should now be added to the list of Domain Members for this Tsecurity Application.  In addition, the Object Type should be listed as User, indicating that this object is an individual user account and not a user group.

8. Get the new user’s SAK as follows:

   1. Right click on the user name under the Domain Members label and choose the Get Security Access Key menu item.

   2. The ASCFEditor will prompt you to save the current application; click Yes to save.

   3. A message box should be displayed to indicate that the SAK for the MyDomain\MyUser user is 0x0 and that he is not granted any named privileges.  This is appropriate as MyDomain\MyUser has not been added to any application privilege classes and thus he has not yet been given any privileges.

9. Add the new member to the Operators application privilege class as follows:

   1. Left-click-and-hold on the MyDomain\MyUser name, drag him up over the Operators application privilege class, and release the mouse button.

   2. Click Yes when prompted to verify that the user should be added to the application privilege class.

   3. The MyDomain\MyUser user should now be listed under the Domain Members for the Operators application privilege class, and the Operators privilege class should be listed under the Application Privilege Class Memberships for the user.

10. Get the MyDomain\MyUser user’s SAK again as follows:

    1. Right click on the MyDomain\MyUser user name under the Domain Members label and choose the Get Security Access Key menu item.

    2. The ASCFEditor should prompt you to save the current application; click Yes to confirm and save.

    3. A message box should be displayed to indicate that the SAK for the MyDomain\MyUser user is 0x1 and that he is granted the OperPriv privilege.  This is appropriate as MyDomain\MyUser is now a member of the Operators application privilege class and thus he has privileges specified for that privilege class.

11. Create a new privilege as follows:

    1. Create a new privilege like OperPriv above, but name it MaintPriv and place it in the second row in order to associate it with bit 1 in the security access key.

12. Create a new application privilege class as follows:

    1. Create a new application privilege class like Operators above, but instead name it Maintenance and add only the new MaintPriv privilege.

13. Add the domain user group MyDomain\MyGroup to this Tsecurity Application as a domain member as follows:

    1. Add a new domain member to the application like MyDomain\MyUser above but select the MyGroup group from the search results.

    2. The MyDomain\MyGroup user group should now be added to the list of Domain Members for this Tsecurity Application.  In addition, the Object Type should be listed as Group, indicating that this object is a user group and not an individual user account.

14. Add the MyDomain\MyGroup user group to the Maintenance application privilege class by dragging and dropping MyDomain\MyGroup over the Maintenance application privilege class just as the MyDomain\MyUser user was added to the Operators application privilege class above.

15. Get the MyDomain\MyUser user’s SAK as before.

    1. A message box should be displayed to indicate that the SAK for MyDomain\MyUser is 0x1.  Since the Use Explicit Membership Only flag for MyDomain\MyUser is set to True, MyDomain\MyUser’s application privilege class membership is limited to what is explicitly specified in the Tsecurity Application configuration.  Hence MyDomain\MyUser is only considered a member of the Operators application privilege class, and the SAK consists only of the SAK specified for that application privilege class.

16. Modify the MyDomain\MyUser user settings so that the Use Explicit Membership Only flag is set to False.

17. Again, retrieve the MyDomain\MyUser user’s SAK as before.

    1. This time, the Authenticate User form should be presented asking for MyDomain\MyUser’s password.  This is required so that the Tsecurity host can use MyDomain\MyUser’s credentials to query for his group membership in the Active Directory.  Enter MyDomain\MyUser’s password and click the OK button.

    2. A message box should be displayed indicating that the SAK for MyDomain\MyUser is 0x3 and that he is granted both the OperPriv and the MaintPriv privileges.  This is appropriate as MyDomain\MyUser still is explicitly listed as a member of the Operators privilege class (with an SAK of 0x1) and is also an implicit member of the Maintenance privilege class (with an SAK of 0x2) through his membership in the MyDomain\MyUser domain group.  Hence the bitwise-OR of the two keys produces the composite SAK 0x3.

This section describes how to create a client that interacts with a Tsecurity host system.

A client application interacts with a Tsecurity host system through an instance of the TPRI.Tsecurity.Client class. This class manages the connection back to the Tsecurity host and exposes several methods for retrieving data from the Tsecurity host.  

The required components for creating a Tsecurity client application are described below.  Complete information for the TPRI.Tsecurity.Client class is available in the TPRI.Tsecurity.Client API section.

First, an application must create an instance of the client class:

' Declare a function return status variable for calls made below
Dim fstatus as integer

' Create an instance of the Tsecurity Client object
Dim tsClient as TPRI.Tsecurity.Client = New TPRI.Tsecurity.Client

Next, the application must initialize the connection to the Tsecurity host:

' Define the host and desired Tsecurity application name
Dim hostName As String = "myTsecurityHost"
Dim portNumber As Integer = 8080

' Initialize the client connection to the host
fstatus = tsClient.Initialize(hostName, portNumber)

The Initialize(..) function should return either ErrNone (= 0) 
to indicate that the object was successfully initialized or return a negative number to indicate a failure.

Once the application has initialized and connected to the host, it can then authenticate a user:

' Define the user credentials
Dim username As String = "myUser"
Dim password As Integer = "myPassword"
Dim domain As String = "myDomain"

' Authenticate the user
fstatus = tsClient.AuthenticateUser(username, password, domain)

The AuthenticateUser(..) function should either return ErrNone (= 0) 
to indicate that the user was successfully authenticated or some negative value to indicate an error.

Finally, the application can retrieve the SAK for the given user:

' Define the desired Tsecurity application name
Dim appName As String = "myASCF"

' Retrive the SAK and privileges for the user
Dim privileges as StringCollection = Nothing
Dim sak as Long = 0
fstatus = tsClient.GetPrivileges(username, password, domain, appName, _
                                 sak, privileges)

The GetPrivileges(..) function should either return ErrNone (= 0) to indicate that the user was successfully authenticated or some negative value to indicate an error.
In each of the Initialize(..),  AuthenticateUser(..), and GetPrivileges(..) functions a negative return value indicates an error.  
These values are defined as public constants in the TPRI.Tsecurity.ErrorCodes module.

Two example clients are provided along with the Tsecurity system. The code for these clients is installed only if the Examples option is selected under the Custom installation selections during software installation.

The two example clients consist of:

• A sample VB.NET Forms project that allows a user to interact with the Tsecurity host through the supplied form.

• A sample ASP.NET project that allows a user to interact with the Tsecurity host through a sample web page.