There are a few things to consider when enabling System Authorization Facility (SAF) authorization for the operating system and application levels.
When SAF authorization is enabled, authorization on any level is always performed by the operating system’s security manager (RACF or an equivalent product). Therefore, it is essential that users are authenticated with a security manager (RACF) user ID. Refer to Summary of controls for more information.
When SAF Authorization is selected during systems customization, administrative EJBROLE profiles for all administrative roles are defined by the RACF jobs generated using the z/OS Profile Management Tool or the zpmt command. SAF authorization (the use of SAF EJBROLE profiles to assign SAF users and groups to roles) can be used as an authorization mechanism for all user registries. If SAF authorization is selected on the administrative console it overrides any other authorization choice (such as Tivoli® Access Manager authorization).
if you do not select local operating system, you must configure and install a Java Authentication and Authorization Service (JAAS) login module to perform principal mapping that maps LDAP or custom registry principal to a SAF user ID.
Note that SAF authorization is also supported for non-local operating system registries. If you turn on SAF, it becomes the default provider (will handle naming and administration functions). Enable SAF and it becomes the native authorization provider.
For more information, refer to Selecting a registry or repository.
WebSphere Application Server for z/OS uses the default (unauthenticated) user ID, and an ACEE that checks for ACCESS( READ) access defined with the RESTRICTED attribute. Therefore, the universal access authority (UACC) does not apply. If, when SAF does not enforce authentication for ejbroles, you want everyone to be able to access a particular role, you must grant the default (unauthenticated) user ID ACCESS( READ) access to enables a request to run unauthenticated, If you do not grant the default user ID ACCESS( READ) access, RACF returns false to an unauthenticated request. .
When using a Local OS Registry, you can control access to console users .
If you decide at a future date to turn on SAF authorization, you must issue these RACF commands to enable proper WebSphere Application Server operation. (Change the value of the configured default user ID if you have chosen a different unauthenticated user ID.)