This illustration shows four components of a hypothetical directory-based application security deployment:

A Directory Store containing directory access control policies and application policies stored in the directory

A Directory Server Instance

Application 1 containing the application itself and application resources and operations

Application 2 likewise containing the application itself and application resources and operations

An arrow points from the directory access control policies in the directory store to the directory server instance. This arrow indicates that the directory access control policies are enforced by the directory server instance.

Within the directory store, an arrow points from the directory access control policies to application policies stored in the directory. This arrow indicates that these directory access control policies govern administrative control over application policies stored in the directory.

Two sets of arrows point from elements in the directory store to elements in both Application 1 and Application 2.

The first set of arrows points from the application policies stored in the directory to the applications in Application 1 and Application 2. These arrows indicate that these application policies stored in the directory are enforced by the corresponding application--either Application 1 or Application 2--which, in turn, consults an authorization service to determine access control.

The second set of arrows points from the application policies stored in the directory to the application resources and operations in Application 1 and Application 2. These arrows indicate that the application policies stored in the directory govern user access to application resources and operations for each application.

Finally, within both Application 1 and Application 2, an arrow points from application resources and operations to the application itself. This arrow indicates that these application resources and operations are accessed through the respective application.