You can use a Java Authentication and Authorization Services (JAAS) login module to map a registry principal to the System Authorization Facility (SAF) user ID.
The following set of well-defined attributes that are used in WebSphere Application Server mapping are defined in the com.ibm.wsspi.security.token.AttributeNameConstants class, which is available in the sas.jar file:
Use this attribute to set the value of the MVS™ user ID when an operation is performed that requires a z/OS SAF user ID. If a value is not specified, WebSphere Application Server uses the unauthenticated user to establish a SAF user ID. This SAF user ID must be a valid MVS user ID.
Use this attribute to indicate that the specified string is placed in the X500Name property when creating a Resource Access Control Facility (RACF®) access control environment element (ACEE).
Use this optional field to indicate which principal class in a JAAS subject is returned when using the getCallerPrincipal and getUserPrincipal application programming interfaces (API).
The default value of this field is com.ibm.websphere.security.auth.WSPrincipal. Using this default value returns the WebSphere Application Server principal name in the configured WebSphere Application Server registry.
To return a mapped SAF principal, specify com.ibm.ws.security.zos.Principal. If a value is specified but a principal does not match the specified CALLER_PRINCIPAL_CLASS value, the return value indicates an unauthenticated user. Specifying getUserInRole returns a null value, and specifying getCallerPrincipal() returns a string that indicates that the user is unauthenticated.