This topic applies only on the z/OS operating system.

Authorization checking

Each controller, servant, and client must be associated with an MVS user ID. When a request flows from a client to the server or from a server to another server, WebSphere Application Server for z/OS passes the user identity (client or server) with the request. This way, each request is performed on behalf of the user identity and the system checks to see if the user identity has the authority to make such a request.

There are three distinct levels of authorization checking.
  1. Operating system-level security

    This first level of authentication is required by z/OS to protect its resources through the use of a System Authorization Facility (SAF) credential. This security is always enabled. For SAF, controllers, servants, and default clients must be associated with an MVS user ID. Operating system resources are accessible by applications when they are granted access to the MVS user ID of the servant.

  2. Cell-level security

    The second level, which is in effect whenever WebSphere Application Server security is enabled at the cell level, is required to protect WebSphere's administrative resources.

  3. Server security

    The third level, which is in effect whenever WebSphere Application Server security is enabled for a given server, is a set of authorization checking mechanisms that are required to control access to Java 2 Platform, Enterprise Edition (J2EE) applications for WebSphere Application Server. On a base server, the cell and server levels of security can be viewed as the same configuration.

When security is enabled, WebSphere Application Server administrative and J2EE authorizations can be performed using the identity authenticated with the configured user registry.

When the user registry is configured to be LocalOS, the operating system and WebSphere identities are the same. If the Local OS user registry is active, or if pluggable identity mapping modules are in place to map WebSphere Application Server user identities to operating system (SAF) identities, authorization checking can be configured to use SAF EJBROLE profiles by setting the registry custom property com.ibm.security.SAF.authorization to true. Otherwise, WebSphere application bindings are used to provide user to role mappings.




Subtopics
Summary of controls
Cluster authorizations
Global security enablement
Related concepts
WebSphere Application Server security for z/OS
Related reference
Specifics about server process authorization checking
Concept topic    

Terms of Use | Feedback

Last updated: Sep 20, 2010 11:08:29 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=vela&product=was-nd-mp&topic=csecauthcheck
File name: csec_authcheck.html