[Version 5.0.2 and later]EJBROLES and GEJBROLES

EJBROLE: As an alternative to WebSphere authorization, Security Authorization Facility (SAF)-based authorization (for example, using the RACF EJBROLE profile) can be used to control a client's access to Java 2 Platform, Enterprise Edition (J2EE) roles in EJB and Web applications, including the WebSphere administrative console application. If the user registry custom property com.ibm.security.SAF.authorization is set to true, then SAF EJBROLE profiles are used to authorize J2EE roles. (For non-LocalOS user registries, identity mapping must be in place to map WebSphere identities to SAF identities).

[Version 5.0.2 and later]Defining EJBROLES belongs to the application deployment process. If the user ID has at least READ access to the EJBROLE profile defined in that corresponds to the J2EE role defined by the application, the user ID is considered to be in Role. (Do not be confused by the name EJBROLE. It is used for J2EE roles in both EJBs and Web applications.)

When an application deployer uses a role in a component's deployment descriptor, the role name must be identical to the name of an EJBROLE profile. A security administrator defines EJBROLE profiles and permits SAF users or groups to the profiles. In order to be considered as eligible for a role, a user must have read access to the EJBROLE profile or must be connected to a SAF group that has read access.

[Version 5.0.2 and later]The specification of a security domain prefix affects the specific EJBROLE profiles used by WebSphere Application Server for z/OS system resources when SAF authorization is chosen. When SecurityDomainType = cellQualified, the WebSphere Application Server for z/OS run time J2EE application EJBROLE profiles are done by the specification of a security domain prefix. This enables you to deploy the same application on different cells in the same sysplex, but have different user to role mappings if desired.

Example: Your application has two J2EE role names: juniorTellers and seniorTellers. These are mixed case roles.

In your SAF registry, you have an MVS group called JTELLER and STELLER and a MVS user ID called BANKADM. The JTELLER group is required to access to the juniorTellers role, and the STELLER group is required to acces the seniorTellers role. The BANKADM user ID is required to access both roles. The TEST1 user ID should have access to both roles, but only in the test environment TESTCELL.

[Version 5.0.2 and later]You have two cells, both defined to use a security Domain prefix. The security domain names are PRODCELL and TESTCELL, respectively.

[Version 5.0.2 and later]If RACF is used as your security server, enable this by issuing the following commands:

/* the EJBROLE class must be active, this step is done by the customization dialogs  */
SETROPTS CLASSACT(EJBROLE)

/* first define the roles in RACF */
RDEFINE EJBROLE PRODCELL.juniorTellers UACC(NONE)
RDEFINE EJBROLE PRODCELL.seniorTellers UACC(NONE)

RDEFINE EJBROLE TESTCELL.juniorTellers UACC(NONE)
RDEFINE EJBROLE TESTCELL.seniorTellers UACC(NONE)

/* permit the appropriate users and groups to the various roles */
PERMIT PRODCELL.juniorTellers CLASS(EJBROLE)  ID(JTELLER BANKADM) ACCESS(READ)
PERMIT PRODCELL.seniorTellers CLASS(EJBROLE)  ID(STELLER BANKADM) ACCESS(READ)

PERMIT TESTCELL.juniorTellers CLASS(EJBROLE)  ID(TEST1) ACCESS(READ)
PERMIT TESTCELL.seniorTellers CLASS(EJBROLE)  ID(TEST1) ACCESS(READ)

/* refresh the EJBROLE class in RACF *
SETROPTS RACLIST(EJBROLE) REFRESH"     

Grouping EJBROLES (GEJBROLE): The SAF interface also supports a grouping class for the EJBROLE class. This grouping class is called GEJBROLE. It is particularly useful when you have a need to give access to the same users or groups for several roles.

The GEJBROLE grouping class provides a capability not natively available in other J2EE servers. Using the J2EE security model, if we have several components or applications that use different role names for similar functions (such as Hire, Promote, GrantPayraise for managerial functions), there are several options to handle this issue:

[Version 5.0.2 and later]The following explains the relation between GEJBROLES, EJBROLES and EJBROLES within the GEJBROLE (ADDMEM).

Recommendations for implementing GEJBROLES:

  1. Plan organizational role profiles in RACF class GEJBROLEs.
  2. Create the access list by permitting user groups to the GEJBROLE profiles, then add roles to the GEJBROLE profiles.
  3. A GEJBROLE with only one EJBROLE is OK.
  4. Do not use a mixture of EJBROLE and GEJBROLE for permitting users to roles.
  5. If possible, permit users to GEJBROLE profiles only.
  6. Generally use GEJBROLE in preference to EJBROLE.


Related concepts
Authorization checking



Searchable topic ID:   csecejbroleandg
Last updated: Jun 21, 2007 9:56:50 PM CDT    WebSphere Application Server for z/OS, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.websphere.zseries.doc/info/zseries/ae/csec_ejbroleandg.html

Library | Support | Terms of Use | Feedback