The following examples can be used to construct the RACF commands that are needed to implement the roles and user assignments:
RDEFINE EJBROLE (optionalSecurityDomain).WebClientUser UACC(READ) RDEFINE EJBROLE (optionalSecurityDomain).BPEAPIUser UACC(READ) RDEFINE EJBROLE (optionalSecurityDomain).BPESystemAdministrator UACC(NONE) PERMIT (optionalSecurityDomain).BPESystemAdministrator CLASS(EJBROLE) ID(WSADMIN) ACCESS(READ) RDEFINE EJBROLE (optionalSecurityDomain).BPESystemMonitor UACC(NONE) PERMIT (optionalSecurityDomain).BPESystemMonitor CLASS(EJBROLE) ID(WSADMIN) ACCESS(READ) RDEFINE EJBROLE (optionalSecurityDomain).JMSAPIUser UACC(READ) APPLDATA(RACFUserIdentity)
RDEFINE EJBROLE (optionalSecurityDomain).TaskAPIUser UACC(READ) RDEFINE EJBROLE (optionalSecurityDomain).TaskSystemAdministrator UACC(NONE) PERMIT (optionalSecurityDomain).TaskSystemAdministrator CLASS(EJBROLE) ID(WSADMIN) ACCESS(READ) RDEFINE EJBROLE (optionalSecurityDomain).TaskSystemMonitor UACC(NONE) PERMIT (optionalSecurityDomain).TaskSystemMonitor CLASS(EJBROLE) ID(WSADMIN) ACCESS(READ) RDEFINE EJBROLE (optionalSecurityDomain).EscalationUser UACC(READ) APPLDATA(RACFUserIdentity)
RDEFINE EJBROLE (optionalSecurityDomain).CleanupUser UACC(READ) APPLDATA(RACFUserIdentity)
RDEFINE EJBROLE (optionalSecurityDomain).Administrator UACC(READ) RDEFINE EJBROLE (optionalSecurityDomain).RestServicesUser UACC(READ)
RDEFINE EJBROLE (optionalSecurityDomain).WBIOperator UACC(READ) PERMIT (optionalSecurityDomain).WBIOperator CLASS(EJBROLE) ID(WSGUEST) ACCESS(READ)
RDEFINE EJBROLE (optionalSecurityDomain).eventAdministrator UACC(READ) RDEFINE EJBROLE (optionalSecurityDomain).eventConsumer UACC(READ) RDEFINE EJBROLE (optionalSecurityDomain).eventUpdater UACC(READ) RDEFINE EJBROLE (optionalSecurityDomain).eventCreator UACC(READ) RDEFINE EJBROLE (optionalSecurityDomain).catalogAdministrator UACC(READ) RDEFINE EJBROLE (optionalSecurityDomain).catalogReader UACC(READ)
Any user that wants to make use of the applications protected by these roles must be granted Read access to the role. It is important to note that unsecured applications run under the identity of the WebSphere® Application Server unauthenticated user ID, which by default is WSGUEST. This user ID is usually defined with the RESTRICTED option, so if an unsecured application uses application facilities protected by the J2EE roles listed above for example, the WebSphere Enterprise Service Bus IVP available here: Performing Installation Verification for WPS on z/OS V6.1, then WSGUEST must be given read access to the relevant profiles that implement the equivalent of EVERYONE user mapping for the role.
Applications that use securityIdentity or RunAs roles also need extra configuration for SAF security products. In RACF, this is done by using the EJBROLE APPLDATA parameter to assign a RACF user identity (RACFUserIdentity in the above examples) to the role. For more information, see the WebSphere Application Server information center: System Authorization Facility (SAF) delegation.