WebSphere Application Server Version 6.1 Feature Pack for Web Services
             Operating Systems: z/OS

             Personalize the table of contents and search results
This topic applies only on the z/OS operating system.

Special considerations for controlling access to naming roles using SAF authorization

There are special considerations in WebSphere Application Server for controlling access to naming roles.

Considerations for assigning users to naming roles

You can use either System Authorization Facility (SAF) authorization (EJBROLE profiles) or WebSphere Application Server authorization to control access to naming roles. To enable SAF authorization, see z/OS System Authorization Facility authorization for more information. For a discussion of the CosNaming roles, see Administrative console and naming service authorization. You can also refer to Assigning users to naming roles.

Using SAF authorization to control access to naming roles

When SAF authorization is enabled, SAF EJBROLE profiles are used to control access to CosNaming functions. If you selected Use SAF EJBROLE profiles to enforce J2EE roles during security domain setup in the Customization Dialog, then the following CosNaming roles were defined by the customization jobs:
RDEFINE EJBROLE (optionalSecurityDomainName.)CosNamingRead UACC(READ)
PERMIT (optionalSecurityDomainName.)CosNamingRead  CLASS(EJBROLE)  ID(WSGUEST) ACCESS(READ)
RDEFINE EJBROLE (optionalSecurityDomainName.)CosNamingWrite  UACC(READ)
RDEFINE EJBROLE (optionalSecurityDomainName.)CosNamingCreate UACC(READ)
RDEFINE EJBROLE (optionalSecurityDomainName.)CosNamingDelete UACC(READ)

If you decide, at a future date, to enable SAF authorization, you must issue these RACF commands to enable proper WebSphere Application Server operation. Change the value WSGUEST if you have chosen a different unauthenticated user ID.

The default access granted by the customization dialog permits all authenticated users to update the name space. This type of authorizations might be a broader level of authority than you want to provide. Minimally, you must enable the configuration group for WebSphere Application Server (servers and administrators) to have read access to all of the profiles and permit all WebSphere Application Server for z/OS clients to have read access to the CosNamingRead profile.

If additional users require access to CosNaming roles, you can permit a user to have any of the previous roles, as indicated, by issuing the following RACF command:
PERMIT (optionalSecurityDomainName.)rolename CLASS(EJBROLE) ID(mvsid) ACCESS(READ)

Using WebSphere Application Server authorization to control access to naming roles

When SAF authorization is not enabled, WebSphere Application Server authorization and the administrative console are used to control access to CosNaming functions.

For information on assigning users to naming roles, refer to Assigning users to naming roles.




Related concepts
Administrative roles and naming service authorization
Related tasks
Assigning users to naming roles
Related reference
[z/OS] Security customization dialog settings
[z/OS] Summary of controls
Secure administration, applications, and infrastructure settings
Concept topic    

Terms of Use | Feedback

Last updated: Nov 25, 2008 2:35:59 AM CST
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.wsfep.multiplatform.doc/info/ae/ae/csec_contaccnamroles.html