Why and when to perform this task
The user registry and authorization settings for the cell control how you add console users. If the user registry custom property com.ibm.security.SAF.authorization is set to true, then System Authorization Facility (SAF) EJBROLE profiles are used to authorize console users. (For non-LocalOS user registries, you must use identity mapping to map WebSphere identities to SAF user IDs). If com.ibm.security.SAF.authorization is set to false, the administrative console is used to authorize console users and groups.Regardless of which type of registry or authorization setting is chosen, the configuration process authorizes the WebSphere configuration group (to which all WebSphere Server identities are permitted), and an MVS user ID for the WebSphere administrator identity to do the following tasks:
Using SAF Authorization to control access to Administrative functions: When SAF Authorization is selected during systems customization, administrative EJBROLE profiles for all administrative roles are defined by the RACF jobs generated using the Configuration Dialog. If SAF Authorization is selected subsequently, issue the following RACF commands (or equivalent security server commands) to enable your servers and administrator to administer WebSphere Application Server:
Applicability of the following example: [Version 5.0.2 and later]
RDEFINE EJBROLE (optionalSecurityDomainName.)administrator UACC(NONE) RDEFINE EJBROLE (optionalSecurityDomainName.)monitor UACC(NONE) RDEFINE EJBROLE (optionalSecurityDomainName.)configurator UACC(NONE) RDEFINE EJBROLE (optionalSecurityDomainName.)operator UACC(NONE) PERMIT (optionalSecurityDomainName.)administrator CLASS(EJBROLE) ID(configGroup) ACCESS(READ) PERMIT (optionalSecurityDomainName.)monitor CLASS(EJBROLE) ID(configGroup) ACCESS(READ) PERMIT (optionalSecurityDomainName.)configurator CLASS(EJBROLE) ID(configGroup) ACCESS(READ) PERMIT (optionalSecurityDomainName.)operator CLASS(EJBROLE) ID(configGroup) ACCESS(READ)If additional users require access to administrative functions, you can permit a user to any of the above roles as follows by issuing the following RACF command:
Applicability of the following example: [Version 5.0.2 and later]
PERMIT (optionalSecurityDomainName.)rolename CLASS(EJBROLE) ID(mvsid) ACCESS(READ)
You can give a user access to all administrative functions by connecting it to the configuration group:
CONNECT mvsid GROUP(configGroup)
Using WebSphere Authorization to control access to administrative functions: To assign users to administrative roles, go to the administrative console, expand System Administration, and click Console Users or Console Groups, and then add the user's WebSphere Application Server for z/OS user identities as desired. . For more information on console user roles, refer Administrative console and naming service authorization.
Note: