![[z/OS]](../images/ngzos.gif)
Server process authorization checking
You can specify specific access restrictions to z/OS® resources.
To control access to WebSphere® Application
Server for z/OS resources:
- As a general rule, give greater authority to controllers and
less authority to servants.
Table 1. Level of trust and authority for regions. This table indicates the level of trust and authority for regions.
Region Level of trust and access authority Controller Note:- Contains WebSphere Application Server for z/OS system code.
- Trusted, runs APF-authorized
- Contains communication ports and manipulation of System Authorization Facility (SAF) client identities
Servant Note:- Contains WebSphere Application Server for z/OS system code, application code, and pluggable service providers (such as jdbc drivers)
- Supports Java™ 2 Security to protect sensitive data and system services
- Untrusted
- Regarding the WebSphere Application Server
for z/OS run-time clusters, the general rule is
to give less authority to the location service daemon, and greater
authority to the node, as explained in the following table:
Table 2. Assigning authorities to WebSphere Application Server for z/OS run-time cluster control and servants . This table lists the required authorities for z/OS run-time cluster control and servants.
Run-time Cluster Region Required Authorities Location service daemon Control - STARTED class
- Access to Workload Manager (WLM) services
- Access to DNS
- OPERCMDS access to START, STOP, CANCEL, FORCE, and MODIFY other clusters
- IRR.DIGTCERT.LIST and IRR.DIGCERT.LISTRING in FACILITY (SSL)
Node Control STARTED class Controller Control - SSL
- Kerberos
- READ authority to the SERVER class,
- OPERCMDS access to START, STOP, CANCEL, FORCE and MODIFY other servers
Servant Control The following classes: - OTMA
- SERVER
- DSNR,
- DATASET
- SURROGATE
- STARTED
- LOGSTREEAM
- Remember to protect the Resource Recovery Services (RRS) log streams. By default, UACC is READ.
- Protect the WebSphere Application Server for z/OS properties XML files, especially if they contain passwords. For more information, see the WebSphere Application Server variables in the administrative console or the documentation.
- Deployment Manager also needs permission to start and stop servers.