Use this page to configure the System Authorization Facility (SAF) and the SAF Authorization properties.
The common properties for unauthenticated user, SAF authorization, and SAF EJBROLE message suppression are no longer custom properties.
Specifies the MVS user ID that is used to represent unprotected servlet requests when SAF authorization is specified or a local operating system registry is configured. This user ID must be a maximum of 8 characters long.
Specifies the name of SAF EJBRole profile to which a Java 2 Platform, Enterprise Edition (J2EE) role name is mapped. The name that you specify implements the com.ibm.websphere.security.SAFRoleMapper interface.
The com.ibm.ws.security.zOS.authz.SAFRoleMapperImpl implementation class, which is the default SAF role mapper implementation, is initially configured. This initial configuration maps all the characters that are not allowed in a SAF role name, such as the percent (%), ampersand (&), asterisk (*) and blank characters, to a pound (#) character.
For more information, see the Developing a custom SAF EJB role mapper
Specifies that the SAF EJBROLE definitions are assigned the MVS user identity that becomes the active identity when you select the RunAs specified role.
Select the Enable SAF delegation option only if you select the Enable SAF Authorization option as the external authorization provider.
Specifies whether ICH408I messages are on or off.
For more information on SAF authorization, see "Controlling access to console users when using a Local OS registry" in the information center. For more information on administrative roles, see "Administrative roles" in the information center.
Default: | Disabled, which does not suppress messages. |
Determines when an audit record is written to the System Management Facility (SMF). On each authorization call, RACF® or an equivalent SAF-based product, can write an audit record to SMF with the result of the authorization check.
WebSphere® Application Server for z/OS uses the SAF RACROUTE AUTH and RACROUTE FASTAUTH operations and passes the LOG option that is specified in the security configuration. The options are DEFAULT, ASIS, NOFAIL, and NONE.
When multiple role constraints are specified, such as a user must be in one of a set of roles, all of the roles except for the last role is checked with the NOFAIL option. If the authorization is granted in one of the roles before the last role, WebSphere Application Server writes an authorization success record. If the authorization is not successful in these roles, the last role is checked with the ASIS log option. If the user is authorized to the last role, a success record might be written. If the user is not authorized, a failure record might be written.
Only one authorization failed record is written for a failed J2EE authorization check even if several SAF authorization calls are made. For more information on the LOG options for SAF RACROUTE calls, see the RACF or equivalent SAF-based product documentation. You can also see the topic Audit Support for additional information about the SMF auditability of WebSphere Application Server's calls to RACROUTE macros and SAF APIs during resource authorization processing.