WebSphere Application Server supports the function of delegation.
Delegation allows a user identity to be represented as a J2EE role. For example,
you can establish an application to be run with a RunAs role of
RoleA.
RoleA can
then be mapped as
UserA. WebSphere Application Server then establishes
the identity context as
UserA, and
RoleA is defined in the deployment
descriptor. Within such an arrangement in place, SAF delegation uses the specified
J2EE role,
RoleA, to determine the thread identity and then synchronizes
processing with the user Id,
UserA .
UserA is specified in the
SAF EJBROLE profile's APPLDATA value of the RDEFINE RACF command. The REDEFINE
command in this example would be as follows:
RDEFINE EJBROLE rolea UACC(NONE) APPLDATA(usera)
SAF delegation requires that the SAF authorization be enabled.
The SAF security administrator would be responsible for the assignment of
Users to the role. See z/OS System Authorization Facility authorization for
the steps that permit SAF delegation.