[z/OS]

Special considerations for controlling access to naming roles using SAF authorization

There are special considerations in WebSphere Application Server for controlling access to naming roles.

Considerations for assigning users to naming roles

You can use either System Authorization Facility (SAF) authorization (EJBROLE profiles) or WebSphere Application Server authorization to control access to naming roles. To enable SAF authorization, see z/OS System Authorization Facility authorization for more information. For a discussion of the CosNaming roles, see Administrative console and naming service authorization. You can also refer to Assigning users to naming roles.

Using SAF authorization to control access to naming roles

When SAF authorization is enabled, SAF EJBROLE profiles are used to control access to CosNaming functions. If you selected Use SAF EJBROLE profiles to enforce J2EE roles during security domain setup in the Customization Dialog, then the following CosNaming roles were defined by the customization jobs:
RDEFINE EJBROLE (optionalSecurityDomainName.)CosNamingRead 
 UACC(READ)
RDEFINE EJBROLE (optionalSecurityDomainName.)CosNamingWrite
 UACC(NONE)
RDEFINE EJBROLE (optionalSecurityDomainName.)CosNamingCreate
 UACC(NONE)
RDEFINE EJBROLE (optionalSecurityDomainName.)CosNamingDelete
 UACC(NONE)

PERMIT (optionalSecurityDomainName.)CosNamingRead  CLASS(EJBROLE)
 ID(WSGUEST) ACCESS(READ)
PERMIT (optionalSecurityDomainName.)CosNamingWrite  CLASS(EJBROLE)
 ID(WSCFG1) ACCESS(READ)
PERMIT (optionalSecurityDomainName.)CosNamingCreate  CLASS(EJBROLE)
 ID(WSCFG1) ACCESS(READ)
PERMIT (optionalSecurityDomainName.)CosNamingDelete  CLASS(EJBROLE) 
 ID(WSCFG1) ACCESS(READ)

If you decide, at a future date, to enable SAF authorization, you must issue these RACF® commands to enable proper WebSphere® Application Server operation. Change the value WSGUEST if you have chosen a different unauthenticated user ID. Change the value WSCFG1 if you have chosen a different configuration group. WSGUEST must be given explicit READ access because it is a restricted userid.

The default access granted by the customization dialog permits all authenticated users to read the name space. This type of authorizations might be a broader level of authority than you want to provide. Minimally, you must enable the configuration group for WebSphere Application Server (servers and administrators) to have read access to all of the profiles and permit all WebSphere Application Server for z/OS clients to have read access to the CosNamingRead profile.

If additional users require access to CosNaming roles, you can permit a user to have any of the previous roles, as indicated, by issuing the following RACF command:
PERMIT (optionalSecurityDomainName.)rolename CLASS(EJBROLE) ID(mvsid) ACCESS(READ)

Using WebSphere Application Server authorization to control access to naming roles

When SAF authorization is not enabled, WebSphere Application Server authorization and the administrative console are used to control access to CosNaming functions.

For information on assigning users to naming roles, refer to Assigning users to naming roles.




Related concepts
Administrative roles and naming service authorization
Related tasks
Assigning users to naming roles
Related reference
[z/OS] Security customization dialog settings
[z/OS] Summary of controls
Secure administration, applications, and infrastructure settings
Concept topic Concept topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 31, 2013 2:56:59 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-nd-dist&topic=csec_contaccnamroles
File name: csec_contaccnamroles.html