Each controller, servant, and client must be associated with an MVS user ID. When a request flows from a client to the server or from a server to another server, WebSphere Application Server for z/OS passes the user identity (client or server) with the request. This way, each request is performed on behalf of the user identity and the system checks to see if the user identity has the authority to make such a request.
This first level of authentication is required by z/OS to protect its resources through the use of a System Authorization Facility (SAF) credential. This security is always enabled. For SAF, controllers, servants, and default clients must be associated with an MVS user ID. Operating system resources are accessible by applications when they are granted access to the MVS user ID of the servant.
The second level, which is in effect whenever WebSphere Application Server security is enabled at the cell level, is required to protect WebSphere's administrative resources.
The third level, which is in effect whenever WebSphere Application Server security is enabled for a given server, is a set of authorization checking mechanisms that are required to control access to Java 2 Platform, Enterprise Edition (J2EE) applications for WebSphere Application Server. On a base server, the cell and server levels of security can be viewed as the same configuration.
When security is enabled, WebSphere Application Server administrative and J2EE authorizations can be performed using the identity authenticated with the configured user registry or repository.
When the user registry or repository is configured to be the local operating system, the operating system and WebSphere Application Server identities are the same. You can configure authorization to use either WebSphere Authorization, SAF Authorization, or a JACC External provider.