
Liberty: Controlling how roles are mapped to SAF Profiles
The System Authorization Facility (SAF) role mapper determines how EJBROLE profile names are generated from application-defined role names. The mapper is invoked whenever SAF authorization is performed for an application role. The authorization check for the application role is made against the underlying SAF security product using the mapped profile name generated by the SAF role mapper.
The SAF role mapper can be configured by using the <safRoleMapper>
configuration
element.
<safRoleMapper profilePattern="myprofile.%resource%.%role%" toUpperCase="true" />
Attributes
- profilePattern="<string>"
- The pattern used to map application roles to profile names.
- %role% is substituted at run time with the value of the application role
- %resource% is substituted with the resource name. For example, the application name.
- The list of supported substitution variables:
- %role%
- The application role name. For the administrator role, the value is Administrator.
- %resource%
- The protected resource name. For security administration, the resource name is com.ibm.ws.management.security.resource.
- %profilePrefix%
- The profilePrefix, defined by the profilePrefix attribute in the <safCredentials> config element. The default value is BBGZDFLT.
- toUpperCase="true|false"
- Indicates whether the mapped profile name must be folded to uppercase.
- If not specified, the default is false.
Note: The SAF role mapper will automatically substitute
any wildcard characters (%&*) and whitespaces in the mapped profile
name with the '#' character.