For z/OS platforms

Liberty profile: Controlling how roles are mapped to SAF Profiles

The System Authorization Facility (SAF) role mapper determines how EJBROLE profile names are generated from application-defined role names. The mapper is invoked whenever SAF authorization is performed for an application role. The authorization check for the application role is made against the underlying SAF security product using the mapped profile name generated by the SAF role mapper.

The SAF role mapper can be configured via the <safRoleMapper> configuration element.
<safRoleMapper profilePattern="myprofile.%resource%.%role%" toUpperCase="true" />

Attributes

profilePattern="<string>"
The pattern used to map application roles to profile names.
  • %role% is substituted at run time with the value of the application role
  • %resource% is substituted with the resource name. For example, the application name.
For example, for profilePattern="myprofile.%resource%.%role%", the profile generated for an access check to the resource "myapp" for the "admin" role, is myprofile.myapp.admin.
The list of supported substitution variables:
%role%
The application role name. For the administrator role, the value is Administrator.
%resource%
The protected resource name. For security administration, the resource name is com.ibm.ws.management.security.resource.
%profilePrefix%
The profilePrefix, defined by the profilePrefix attribute in the <safCredentials> config element. The default value is BBGZDFLT.
If not specified, the default is profilePattern= "%profilePrefix%.%resource%.%role%"
toUpperCase="true|false"
Indicates whether the mapped profile name should be folded to upper case.
If not specified, the default is false.
Note: The SAF role mapper will automatically substitute any wildcard characters (%&*) and whitespaces in the mapped profile name with the '#' character.

Icon that indicates the type of topic Reference topic

Terms and conditions for information centers | Feedback


Timestamp icon Last updated: Monday, 21 April 2014
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-nd-mp&topic=rwlp_SAF_rolemapper
File name: rwlp_SAF_rolemapper.html