There's an entire book in the product documentation on Enterprise Server Security. It's there to answer questions such as this one.

There are two security features that can be used to restrict access to ESMAC. One is the original Enterprise Server security mechanism, known as "CAS Internal Security" or "CAS Legacy Security" or in some places the "CICS Sign-on Table". This is the simpler one to set up but it is less flexible, more difficult to administer in large ES deployments, and does not integrate with existing enterprise security.

You can read about configuring legacy ESMAC security here: http://documentation.microfocus.com/help/topic/com.microfocus.eclipse.infocenter.studee60win/BKCACANCICUSEC.html

The other security option for ESMAC is to configure the ES External Security Facility (ESF). ESF lets you specify an external security manager for Enterprise Server - an OS or third-party system that ES will use to make security decisions. Many customers with ES in production environments use ESF with an LDAP security manager, so they can integrate ES security into their organization's security infrastructure and manage it centrally.

Setting up ESF-based security does require significant system-administration work, possibly including installing third-party software, changing the configuration of an LDAP repository, etc. It's discussed extensively in the ES security manual: http://documentation.microfocus.com/help/topic/com.microfocus.eclipse.infocenter.studee60win/GUID-96DE94E5-C4FF-4AFC-91CF-6075936B60AB.html