When Does the Server Perform ACL Checking?
The Integration Server checks ACLs when:
A client or a DSP invokes a service that resides on the
Integration Server. A client can be a browser user, another
Integration Server, an IS client (using the IS client API), or a custom HTTP client.
You are using
Designer to access (list, create, update, see the source of, delete, or change the ACL assignments of) an element.
You are using
Integration Server Administrator and you try to list or change the ACL assignment of an element.
By default, the Integration Server performs ACL checking against externally invoked services only. Externally invoked services are those that are directly invoked by a client or DSP. You can, however, configure a service to have its ACL checked even if it is internally invoked, that is, invoked by another service running on the Integration Server.
To direct the server to check the execute ACL for a service even when the service is invoked internally, use Designer to set the Enforce Execute ACL property to Always. See webMethods Service Development Help for more information.