There are special considerations in WebSphere Application Server for controlling access to naming roles.
Considerations for assigning users to naming roles
You can use either System Authorization Facility (SAF) authorization (EJBROLE profiles) or WebSphere Application Server authorization to control access to naming roles. To enable SAF authorization, see z/OS System Authorization Facility authorization for more information. For a discussion of the CosNaming roles, see Administrative console and naming service authorization. You can also refer to Assigning users to naming roles.
Using SAF authorization to control access to naming roles
RDEFINE EJBROLE (optionalSecurityDomainName.)CosNamingRead UACC(READ) PERMIT (optionalSecurityDomainName.)CosNamingRead CLASS(EJBROLE) ID(WSGUEST) ACCESS(READ) RDEFINE EJBROLE (optionalSecurityDomainName.)CosNamingWrite UACC(READ) RDEFINE EJBROLE (optionalSecurityDomainName.)CosNamingCreate UACC(READ) RDEFINE EJBROLE (optionalSecurityDomainName.)CosNamingDelete UACC(READ)
If you decide, at a future date, to enable SAF authorization, you must issue these RACF commands to enable proper WebSphere Application Server operation. Change the value WSGUEST if you have chosen a different unauthenticated user ID.
The default access granted by the customization dialog permits all authenticated users to update the name space. This type of authorizations might be a broader level of authority than you want to provide. Minimally, you must enable the configuration group for WebSphere Application Server (servers and administrators) to have read access to all of the profiles and permit all WebSphere Application Server for z/OS clients to have read access to the CosNamingRead profile.
PERMIT (optionalSecurityDomainName.)rolename CLASS(EJBROLE) ID(mvsid) ACCESS(READ)
Using WebSphere Application Server authorization to control access to naming roles
When SAF authorization is not enabled, WebSphere Application Server authorization and the administrative console are used to control access to CosNaming functions.
For information on assigning users to naming roles, refer to Assigning users to naming roles.