The access group from the service package that is used to find the service rules and the service activities to be run must be accessible to the requestors that are operating with this access group.
The authentication activity must be accessible to the access group specified in the service package.
If authenticated, the access group of the authenticated operator is used as the context, rather than the access group of the service package, to find all application-specific rules. That context is reset if the service is pooled and the requestor is returned to the pool.
When selected, authentication occurs only for the first request for stateful services that use pooling and do not destroy the requestor. Subsequent service requests that include the Session ID in the request message continue with the same previously authenticated requestor session.
Note: In high-volume production settings, authentication can be costly in terms of computer resources. However, unauthenticated service requestors can access the rulesets and versions conveyed by the access group in the Service Access Group field and those assigned to the requestor type named APP. (Services run as APP requestors.) Depending on security and volume factors, for best performance you can leave the Requires Authentication? check box cleared.
The location and name of the Operator ID and password values vary, depending on the service type: