WebSphere Application Server Network Deployment, Version 6.1
             Operating Systems: z/OS

             Personalize the table of contents and search results
This topic applies only on the z/OS operating system.

z/OS System Authorization Facility authorization

Use this page to configure the System Authorization Facility (SAF) and the SAF Authorization properties.

To enable SAF authorization:
  1. Click Security > Secure administration, applications, and infrastructure > External authorization provider.
  2. Click on the System Authorization Facility (SAF) radio button.
  3. To configure SAF authorization Options, click SAF authorization options. The SAF Authorization options are for unauthenticated users and for SAF EJBROLE message suppression.

The common properties for unauthenticated user, SAF authorization, and SAF EJBROLE message suppression are no longer custom properties.

Configuration tab

Unauthenticated user ID

Specifies the MVS user ID that is used to represent unprotected servlet requests when SAF authorization is specified or a local operating system registry is configured. This user ID must be a maximum of 8 characters long.

This property definition is used in the following instances:
  • For authorization if an unprotected servlet invokes an entity bean
  • For identification of an unprotected servlet for invoking a z/OS connector such as Customer Information Control System (CICS) or Information Management System (IMS) that uses a current identity when res-auth=container
  • When an application-initiated Synch to OS thread function is attempted
For more information, see the following articles in the information center:
  • "Understanding application Synch to OS Thread Allowed"
  • "When to use application Synch to OS Thread Allowed"
SAF profile mapper

Specifies the name of SAF EJBRole profile to which a Java 2 Platform, Enterprise Edition (J2EE) role name is mapped. The name that you specify implements the com.ibm.websphere.security.SAFRoleMapper interface.

For more information, see the Developing a custom SAF EJB role mapper

Enable SAF delegation

Specifies that the SAF EJBROLE definitions are assigned the MVS user identity that becomes the active identity when you select the RunAs specified role.

Select the Enable SAF delegation option only if you select the Enable SAF Authorization option as the external authorization provider.

Suppress RACF EJBRole audit messages

Specifies whether ICH408I messages are on or off.

System Management Facility (SMF) records access violations no matter what value is specified for this new property. This property affects the generation of access violation messages for both application-defined roles and for application server run-time-defined roles for the naming and administrative subsystems. EJBROLE profile checks are done for both declarative and programmatic checks:
  • Declarative checks are coded as security constraints in Web applications and deployment descriptors are coded as security constraints in Enterprise JavaBeans (EJB) files. The com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress property is not used to control messages in this situation. Instead, a set of roles is permitted, and if an access violation occurs, an ICH408I access violation message indicates a failure for one of the roles. SMF then logs a single access violation for that role.
  • Program logic checks or access checks are performed using the programmatic isCallerinRole(x) method for enterprise beans or isUserInRole(x) method for Web applications. If the SMF audit record strategy property is set to ASIS, NOFAIL, or NONE, the com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress property controls the messages that are generated by this call. Message suppression is always enabled for administrative roles if the SMF audit record strategy property is set to Default
Avoid trouble:
  • When a third-party authorization such as Tivoli Access Manager or SAF for z/OS is used, the information in the administrative console panel might not represent the data in the provider. Also, any changes to the panel might not be reflected in the provider automatically. Follow the provider's instructions to propagate any changes made to the provider.
gotcha

For more information on SAF authorization, see "Controlling access to console users when using a Local OS registry" in the information center. For more information on administrative roles, see "Administrative roles" in the information center.

Default: Disabled, which does not suppress messages.
SMF audit record strategy

Determines when an audit record is written to the System Management Facility (SMF). On each authorization call, RACF or an equivalent SAF-based product, can write an audit record to SMF with the result of the authorization check.

WebSphere Application Server for z/OS uses the SAF RACROUTE AUTH and RACROUTE FASTAUTH operations and passes the LOG option that is specified in the security configuration. The options are DEFAULT, ASIS, NOFAIL, and NONE.

The following options are available:
DEFAULT

When multiple role constraints are specified, such as a user must be in one of a set of roles, all of the roles except for the last role is checked with the NOFAIL option. If the authorization is granted in one of the roles before the last role, WebSphere Application Server writes an authorization success record. If the authorization is not successful in these roles, the last role is checked with the ASIS log option. If the user is authorized to the last role, a success record might be written. If the user is not authorized, a failure record might be written.

ASIS
Specifies that the audit events are recorded in the manner that is specified in the profile that protects the resource or in the matter that is specified by the SETROPTS options.
NOFAIL
Specifies that failures are not recorded. Authorization failure messages are not issued, but successful authorization audit records might be written.
NONE
Specifies that neither successes or failures are recorded.

Only one authorization failed record is written for a failed J2EE authorization check even if several SAF authorization calls are made. For more information on the LOG options for SAF RACROUTE AUTH and RACROUTE FASTAUTH, see the RACF or equivalent SAF-based product documentation.




Related concepts
System Authorization Facility user registries
Related tasks
Authorizing access to resources
Developing a custom SAF EJB role mapper
Related reference
Audit support
Reference topic    

Terms of Use | Feedback

Last updated: Feb 25, 2009 9:32:38 AM CST
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/usec_safpropszos.html