The association acceptor may utilize the username or username and passcode information to determine whether the user is permitted to establish an association. If the Kerberos mechanism is chosen, the association acceptor shall utilize the Kerberos service ticket to determine whether the user is permitted to establish an association.
If the association acceptor rejects the association because of an authorization failure, the rejection shall be indicated to be rejected-permanent (see PS 3.8). The source shall be value (2) “DICOM UL service provided (ACSE related function)”. The rejection is indicated to be rejected-permanent because retries with the same user identity fields will continue to be rejected. A different and valid username, username and passcode, or Kerberos ticket must be provided.
This standard does not define how the association acceptor performs authentication or what rules apply to this authentication.