System Authorization Facility (SAF) delegation minimizes
the need to store user Ids and passwords in many locations in the
configuration.
WebSphere® Application Server supports the
function of delegation. Delegation allows a user identity to be represented
as a Java EE role. For example, you can establish
an application to be run with a RunAs role of
RoleA.
RoleA can
then be mapped as
UserA. WebSphere Application
Server then establishes the identity context as
UserA, and
RoleA is
defined in the deployment descriptor. Within such an arrangement in
place, SAF delegation uses the specified Java EE
role,
RoleA, to determine the thread identity and then synchronizes
processing with the user Id,
UserA .
UserA is specified
in the SAF EJBROLE profile's APPLDATA value of the RDEFINE RACF® command.
The REDEFINE command in this example would be as follows:
RDEFINE EJBROLE rolea UACC(NONE) APPLDATA(usera)
SAF
delegation requires that SAF authorization be enabled. The SAF security
administrator would be responsible for the assignment of Users to
the role. See z/OS System Authorization Facility authorization for
the steps that permit SAF delegation.
Note: If you have SAF
delegation enabled and Kerberos is your active authentication mechanism,
when the application requests the run-as role, the runAs subject that
is created on the server does not contain the Kerberos credential.
As a result, the request falls back to LTPA.