Each controller, servant, and client must be associated with an MVS user ID. When a request flows from a client to the server or from a server to another server, WebSphere Application Server for z/OS passes the user identity (client or server) with the request. This way, each request is performed on behalf of the user identity and the system checks to see if the user identity has the authority to make such a request.
This first level of authentication is required by z/OS to protect its resources through the use of a System Authorization Facility (SAF) credential. This security is always enabled. For SAF, controllers, servants, and default clients must be associated with an MVS user ID. Operating system resources are accessible by applications when they are granted access to the MVS user ID of the servant.
The second level, which is in effect whenever WebSphere Application Server security is enabled at the cell level, is required to protect WebSphere's administrative resources.
The third level, which is in effect whenever WebSphere Application Server security is enabled for a given server, is a set of authorization checking mechanisms that are required to control access to Java 2 Platform, Enterprise Edition (J2EE) applications for WebSphere Application Server. On a base server, the cell and server levels of security can be viewed as the same configuration.
When security is enabled, WebSphere Application Server administrative and J2EE authorizations can be performed using the identity authenticated with the configured user registry.
When the user registry is configured to be LocalOS, the operating system and WebSphere identities are the same. If the Local OS user registry is active, or if pluggable identity mapping modules are in place to map WebSphere Application Server user identities to operating system (SAF) identities, authorization checking can be configured to use SAF EJBROLE profiles by setting the registry custom property com.ibm.security.SAF.authorization to true. Otherwise, WebSphere application bindings are used to provide user to role mappings.