IBM BPM, V8.0.1, All platforms > Installing, deploying, and undeploying applications in the runtime environment > Deploying service modules > Deploying secure applications
Commands to implement roles and user assignments (System Authorization Facility directions)
The System Authorization Facility (SAF) is a z/OS interface that programs can use to communicate with an external security manager, such as RACF. You can use RACF commands to implement roles and user assignments.
The following examples can be used to construct the RACF commands that are needed to implement the roles and user assignments:
RDEFINE EJBROLE (optionalSecurityDomain).WebClientUser UACC(READ) RDEFINE EJBROLE (optionalSecurityDomain).BPEAPIUser UACC(READ) RDEFINE EJBROLE (optionalSecurityDomain).BPESystemAdministrator UACC(NONE) PERMIT (optionalSecurityDomain).BPESystemAdministrator CLASS(EJBROLE) ID(WSCFG1) ACCESS(READ) RDEFINE EJBROLE (optionalSecurityDomain).BPESystemMonitor UACC(NONE) PERMIT (optionalSecurityDomain).BPESystemMonitor CLASS(EJBROLE) ID(WSCFG1) ACCESS(READ) RDEFINE EJBROLE (optionalSecurityDomain).JMSAPIUser UACC(READ) APPLDATA(RACFUserIdentity)
RDEFINE EJBROLE (optionalSecurityDomain).AdminJobUser UACC(READ) APPLDATA(RACFUserIdentity) RDEFINE EJBROLE (optionalSecurityDomain).JAXWSAPIUser UACC(READ) PERMIT (optionalSecurityDomain).JAXWSAPIUser CLASS(EJBROLE) ID(WSGUEST) ACCESS(READ)
RDEFINE EJBROLE (optionalSecurityDomain).businessspaceusers UACC(READ)
RDEFINE EJBROLE (optionalSecurityDomain).WebFormUsers UACC(READ)
RDEFINE EJBROLE (optionalSecurityDomain).BusinessRuleUsers UACC(READ) RDEFINE EJBROLE (optionalSecurityDomain).NoOne UACC(NONE) RDEFINE EJBROLE (optionalSecurityDomain).AnyOne UACC(READ) PERMIT (optionalSecurityDomain).AnyOne CLASS(EJBROLE) ID(WSGUEST) ACCESS(READ)
RDEFINE EJBROLE (optionalSecurityDomain).Administrator UACC(READ) RDEFINE EJBROLE (optionalSecurityDomain).RestServicesUser UACC(READ)
RDEFINE EJBROLE (optionalSecurityDomain).TaskAPIUser UACC(READ) RDEFINE EJBROLE (optionalSecurityDomain).TaskSystemAdministrator UACC(NONE) PERMIT (optionalSecurityDomain).TaskSystemAdministrator CLASS(EJBROLE) ID(WSCFG1) ACCESS(READ) RDEFINE EJBROLE (optionalSecurityDomain).TaskSystemMonitor UACC(NONE) PERMIT (optionalSecurityDomain).TaskSystemMonitor CLASS(EJBROLE) ID(WSCFG1) ACCESS(READ) RDEFINE EJBROLE (optionalSecurityDomain).EscalationUser UACC(READ) APPLDATA(RACFUserIdentity)
RDEFINE EJBROLE (optionalSecurityDomain).Allauthenticated UACC(READ) RDEFINE EJBROLE (optionalSecurityDomain).everyone UACC(READ) PERMIT (optionalSecurityDomain).everyone CLASS(EJBROLE) ID(WSGUEST) ACCESS(READ)
RDEFINE EJBROLE (optionalSecurityDomain).WBIOperator UACC(READ) PERMIT (optionalSecurityDomain).WBIOperator CLASS(EJBROLE) ID(WSGUEST) ACCESS(READ)
Any user who wants to make use of the applications protected by these roles must be granted Read access to the role. It is important to note that unsecured applications run under the identity of the WebSphere Application Server unauthenticated user ID, which by default is WSGUEST. This user ID is usually defined with the RESTRICTED option, so if an unsecured application uses application facilities protected by the Java EE roles listed above, then WSGUEST must be given read access to the relevant profiles that implement the equivalent of EVERYONE user mapping for the role.
There is a subtlety in the user assignment to the roles when using SAF based authorization. To emulate EVERYONE access, the EJBROLE
profile must be defined with a UACC of read and the WebSphere Application Server unauthenticated
user ID (default WSGUEST) must be granted Read access. To emulate
all authenticated access, the EJBROLE profile must be defined with a UACC of Read. See the WebSphere Application Server information center: 
System Authorization Facility considerations for the operating system and application levels.
Applications that use securityIdentity or RunAs roles also need
extra configuration for SAF security products. In RACF, this is done
by using the EJBROLE APPLDATA parameter to assign a RACF user identity
(RACFUserIdentity in the above examples) to the role. See the WebSphere Application Server information center: System Authorization Facility (SAF) delegation.