[Version 5.0.2 and later]Controlling access to console users using System Authorization Facility

Why and when to perform this task

The user registry and authorization settings for the cell control how you add console users. If the user registry custom property com.ibm.security.SAF.authorization is set to true, then System Authorization Facility (SAF) EJBROLE profiles are used to authorize console users. (For non-LocalOS user registries, you must use identity mapping to map WebSphere identities to SAF user IDs). If com.ibm.security.SAF.authorization is set to false, the administrative console is used to authorize console users and groups.

Regardless of which type of registry or authorization setting is chosen, the configuration process authorizes the WebSphere configuration group (to which all WebSphere Server identities are permitted), and an MVS user ID for the WebSphere administrator identity to do the following tasks:

When SAF Authorization is selected on z/OS, the special subject of server is not used as the administrative user ID. (Note that the customization dialogs generate an administrative user, who is a member of the administrative group, which can be used for customization.)

Using SAF Authorization to control access to Administrative functions: When SAF Authorization is selected during systems customization, administrative EJBROLE profiles for all administrative roles are defined by the RACF jobs generated using the Configuration Dialog. If SAF Authorization is selected subsequently, issue the following RACF commands (or equivalent security server commands) to enable your servers and administrator to administer WebSphere Application Server:

Applicability of the following example: [Version 5.0.2 and later]

RDEFINE EJBROLE (optionalSecurityDomainName.)administrator UACC(NONE)
RDEFINE EJBROLE (optionalSecurityDomainName.)monitor       UACC(NONE)
RDEFINE EJBROLE (optionalSecurityDomainName.)configurator  UACC(NONE)
RDEFINE EJBROLE (optionalSecurityDomainName.)operator      UACC(NONE)

PERMIT (optionalSecurityDomainName.)administrator CLASS(EJBROLE) ID(configGroup) ACCESS(READ)
PERMIT (optionalSecurityDomainName.)monitor       CLASS(EJBROLE) ID(configGroup) ACCESS(READ)
PERMIT (optionalSecurityDomainName.)configurator  CLASS(EJBROLE) ID(configGroup) ACCESS(READ)
PERMIT (optionalSecurityDomainName.)operator      CLASS(EJBROLE) ID(configGroup) ACCESS(READ)
If additional users require access to administrative functions, you can permit a user to any of the above roles as follows by issuing the following RACF command:

Applicability of the following example: [Version 5.0.2 and later]

PERMIT (optionalSecurityDomainName.)rolename   CLASS(EJBROLE)  ID(mvsid) ACCESS(READ)

You can give a user access to all administrative functions by connecting it to the configuration group:

CONNECT  mvsid  GROUP(configGroup)

Using WebSphere Authorization to control access to administrative functions: To assign users to administrative roles, go to the administrative console, expand System Administration, and click Console Users or Console Groups, and then add the user's WebSphere Application Server for z/OS user identities as desired. . For more information on console user roles, refer Administrative console and naming service authorization.

Note:


Related concepts
Administrative console and naming service authorization
Related tasks
Authorization checking
Related reference
Summary of controls
Security customization dialog settings[Version 5.0.2 and later]



Searchable topic ID:   tsecaddconsole
Last updated: Jun 21, 2007 9:56:50 PM CDT    WebSphere Application Server for z/OS, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.websphere.zseries.doc/info/zseries/ae/tsec_addconsole.html

Library | Support | Terms of Use | Feedback