Security issues

When you develop a component for deployment to COM+, you can define roles that determine which users or groups of users are authorized to perform specific transactions. Then when you deploy the component, you assign roles to specific users in the COM+ Component Services tool.

Enabling authorization in the Project painter or wizard

When you create a COM/COM+ project using a wizard, you can instruct COM+ to check the security credentials of any client that calls the component. In the Project painter, you can specify checking at both the component and package level on the COM+ Component and COM+ Package property pages.

To ensure that security is enabled, add a role to the COM application in the Microsoft Management Console, add users to the role, and grant the role to the component.

Programmatic security

PowerBuilder provides functions on the transaction service object that you can use in the component to determine programmatically whether the caller is authorized to call a specific method. IsSecurityEnabled determines whether security is enabled for the component. IsCallerInRole determines whether the client process or server process calling a method on the component is in a role that is authorized to call it.

Impersonation

IsCallerInRole looks at the role of the direct caller of the current method. If a client calls a method on a component, and that method accesses a database, the access rights to the database are determined by the security context of the component, not the client. PowerBuilder provides additional functions on the transaction service object to enable the component to assume the security context of the client before performing an operation that the client may not be authorized to perform. ImpersonateClient assumes the security context of the client, IsImpersonating determines whether the component is running in its client’s security context, and RevertToSelf restores the component’s security context.