Unauthorized services used by the SAF registry

The System Authorization Facility (SAF) registry uses a number of unauthorized services from the C environment provided by LE (Language Environment). Presented here is a table that lists the unauthorized services from LE C that the SAF registry uses, and provides links to additional information in the z/OS V2R1 documentation. These services are subject to BPX.DAEMON restrictions. These restrictions detailed in the documentation that are linked to from the service calls associated with each method that is listed in the table.

Method Link to further information 

    checkPassword(String, String) 
       __passwd_applid()

 Verify/Change User Password 

    getGroups(String, int) 
       setgrent()

Reset Group Database to First Entry 

    getgrent()

Get Group Database Entry 

    endgrent()

 Get Group Database Entry Functions 

    getGroupsForUser(String)

NOTE: This method only works for users with defined OMVS segments.

 Get Supplementary Group IDs by User Name 

    getgroupsbyname()

 Get Supplementary Group IDs by User Name 

    getgrgid()

 Access the Group Database by ID 

    getUsers(String, int) 
       setpwent()

Reset User Database Search 

    getpwent()

 Get User Database Entry 

    endpwent()

User Database Functions 

    isValidGroup(String)
       getgrnam_r()

Search Group Database for a Name 

    isValidUser(String) 
        getpwnam_r()

Search User Database for a Name 

    mapCertificate(X509Certificate) 
       __certificate()

Register/Deregister/Authenticate a Digital Certificate

Note: If the Liberty server is configured to use SAF authorized services (see Activating and configuring the SAF registry on z/OS), then the following unauthorized services are not used:

  • checkPassword: __passwd_applid
  • isValidGroup: getgrnam_r
  • isValidUser: getpwnam_r
  • mapCertificate: __certificate

Instead, the Liberty server uses the initACEE authorized SAF service .

For the isValidGroup method, the Liberty server uses the RACROUTE EXTRACT macro.

Unless the server is configured to use an Angel for security authentication operations, UserRegistry, isValidUser, and isValidGroup methods return false for user or group names created without an OMVS segment.