Authorization checking

Each controller, servant, and client must be associated with an MVS user ID. When a request flows from a client to the server or from a server to another server, WebSphere Application Server for z/OS passes the user identity (client or server) with the request. This way, each request is performed on behalf of the user identity and the system checks to see if the user identity has the authority to make such a request.

There are three distinct levels of authorization checking.

  1. Operating system level security

    This first level of authentication is required by z/OS to protect its resources through the use of a SAF credential. This security is always enabled. For SAF, controllers, servants, and default clients must be associated with an MVS user ID. Operating system resources are accessible by applications when they are granted access to the MVS user ID of the servant region.

  2. Cell level security

    The second level, which is in effect whenever WebSphere Application Server security is enabled at the cell level, is required to protect WebSphere's administrative resources.

  3. Server security

    The third level, which is in effect whenever WebSphere Application Server security is enabled for a given server, is a set of authorization checking mechanisms required to control access to WebSphere J2EE applications. On a base server, the cell and server levels of security can be viewed as the same.

When WebSphere Application Server security is enabled, WebSphere administrative and Java 2 Platform, Enterprise Edition (J2EE) authorizations can be performed using the identity authenticated with the configured user registry.

When the user registry is configured to be LocalOS, the operating system and WebSphere identities are the same. If the LocalOS registry is active, or if pluggable identity mapping modules are in place to map WebSphere Application Server user identities to operating system (SAF) identities, authorization checking can be configured to use SAF EJBROLE profiles by setting the registry custom property com.ibm.security.SAF.authorization to true. Otherwise, WebSphere application bindings are used to provide user to role mappings.


Related concepts
Setting up WebSphere Application Server for z/OS security
Using CBIND to control access to clusters
Related tasks
Controlling access to console users using System Authorization Facility
Cluster authorizations
Enabling global security
Related reference
Summary of controls
Specifics about server process authorization checking



Searchable topic ID:   csecauthcheck
Last updated: Jun 21, 2007 9:56:50 PM CDT    WebSphere Application Server for z/OS, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.websphere.zseries.doc/info/zseries/ae/csec_authcheck.html

Library | Support | Terms of Use | Feedback