Local operating system user registry settings

Use this page to configure local operating system user registry settings.

To view this administrative console page, complete the following steps:
  1. Click Security > Global security.
  2. Under User registries, click Local OS.

Custom properties

Under the Custom properties link, you can add a value for the com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress property. Set this property to turn ICH408I messages on or off. The default value for this property is false, which does not suppress messages. You can set this value to true to suppress the ICH408I messages.

This property affects access violation message generation for both application-defined roles and for WebSphere Application Server Runtime roles for the naming and administrative subsystems. System Management Facility (SMF) records are unaffected by this property. EJBROLE profile checks are done for both declarative (deployment descriptors) and programmatic checks:
  • Declarative checks are coded as security constraints in Web applications, and deployment descriptors are coded as security constraints in enterprise beans. This property is not used to control messages in this case. Instead, a set of roles is permitted, and if an access violation occurs an ICH408I access violation message indicates a failure for one of the roles. SMF then logs a single access violation (for that role).
  • Program logic checks (or access checks) are performed using the programmatic isCallerinRole(x) for enterprise bean or isUserInRole(x) for Web applications. The com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress property controls the messages that are generated by this call.

force.credential.creation.for.validation

Setting this property either forces the creation of an ACEE or locates the ACEE of a user from the cache during ID assertion logins, ACEE information for users that have been revoked is not available. However, if you force the creation of credentials all of the time, performance can be affected.

disable.principal.case.preservation

Setting this property forces the principals returned by getRemoteUser() and getUserPrincipal() calls to be upper-case.

If this property is not set, WebSphere Application Server uses the existing case.

Configuration tab

Ignore case for authorization

When this option is set to true, a case insensitive authorization check is performed.

SAF user IDs are usually in uppercase letters. Enabling this option is necessary only when your registry is case insensitive and does not provide a consistent case when queried for users and groups.




Related tasks
Configuring local operating system user registries
Reference topic    

Terms of Use | Feedback

Last updated: Sep 20, 2010 10:03:57 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=vela&product=was-nd-zos&topic=usecrpseclos
File name: usec_rpseclos.html