(zos)System Authorization Facility (SAF) delegation
System Authorization Facility (SAF) delegation minimizes the need to store user Ids and passwords in many locations in the configuration.
WebSphere Application Server supports the function of delegation. Delegation allows a user identity to be represented as a Java EE role. For example, we can establish an application to be run with a RunAs role of RoleA. RoleA can then be mapped as UserA. WebSphere Application Server then establishes the identity context as UserA, and RoleA is defined in the deployment descriptor. Within such an arrangement in place, SAF delegation uses the specified Java EE role, RoleA, to determine the thread identity and then synchronizes processing with the user Id, UserA . UserA is specified in the SAF EJBROLE profile's APPLDATA value of the RDEFINE RACF command. The REDEFINE command in this example would be as follows:
RDEFINE EJBROLE rolea UACC(NONE) APPLDATA(usera)
SAF delegation requires that SAF authorization be enabled. The SAF security administrator would be responsible for the assignment of Users to the role. See z/OS System Authorization Facility authorization for the steps that permit SAF delegation.
If we have SAF delegation enabled and Kerberos is the active authentication mechanism, when the application requests the run-as role, the runAs subject created on the server does not contain the Kerberos credential. As a result, the request falls back to LTPA.
Related tasks
(zos) Assigning users to RunAs roles
(zos) z/OS System Authorization Facility authorization