System Authorization Facility (SAF) delegation

System Authorization Facility (SAF) delegation minimizes the need to store user Ids and passwords in many locations in the configuration.

WebSphere Application Server supports the function of delegation. Delegation allows a user identity to be represented as a J2EE role. For example, you can establish an application to be run with a RunAs role of RoleA. RoleA can then be mapped as UserA. WebSphere Application Server then establishes the identity context as UserA, and RoleA is defined in the deployment descriptor. Within such an arrangement in place, SAF delegation uses the specified J2EE role, RoleA, to determine the thread identity and then synchronizes processing with the user Id, UserA . UserA is specified in the SAF EJBROLE profile's APPLDATA value of the RDEFINE RACF command. The REDEFINE command in this example would be as follows:
RDEFINE EJBROLE rolea UACC(NONE) APPLDATA(usera)

SAF delegation requires that the SAF authorization be enabled. The SAF security administrator would be responsible for the assignment of Users to the role. See z/OS System Authorization Facility authorization for the steps that permit SAF delegation.




Related tasks
Assigning users to RunAs roles
z/OS System Authorization Facility authorization
Concept topic Concept topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 31, 2013 12:02:36 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-nd-zos&topic=csec_safdelegate
File name: csec_safdelegate.html