+

Search Tips   |   Advanced Search

(zos)

SAF profile prefixes and the customization jobs

We can configure a System Authorization Facility (SAF) profile prefix (previously referred to as a z/OS security domain) using the z/OS Profile Management Tool.

An SAF profile prefix allows an installation to add a prefix to the SAF profiles that represent their roles. For example, an installation can define SAF class EJBRole and a SAF profile of myPrefix.administrator. A SAF profile prefix can be defined for the entire cell or it can be defined at the WebSphere security domain-level granularity of security permissions. SAF profile prefixes:

We can configure a SAF profile prefix using the z/OS Profile Management Tool to customize your settings or on the SAF authorization options panel in the console. This provides a new sample set of Resource Access Control Facility (RACF ) customization jobs that must only be run once when the domain is created.

The RACF profiles created and checked differently because of this are:

Use CBIND profiles to restrict access to servers if no other specific profile is set. If there is no SAF profile prefix, enter the following RACF commands:

/*  CBIND profiles in case no server definition is set         */
"RDEFINE CBIND CB.BIND.* UACC(NONE)"   "RDEFINE CBIND CB.* UACC(NONE)"

If there is a SAF profile prefix defined as TESTSYS, enter:

/*  CBIND CB.BIND.domain_name.                              */
"RDEFINE CBIND CB.BIND.TESTSYS.* UACC(NONE)"   "RDEFINE CBIND CB.TESTSYS.* UACC(NONE)"

Use an APPL profile to protect WebSphere Application Server for z/OS. Sample profiles can grant a certain level of APPL access to everyone if you use the universal access authority, UACC, and grant access to the configuration group, unauthenticated user IDs, and all valid WebSphere Application Server for z/OS user IDs. A UACC(NONE) will give a default access of NONE to everyone. We can control whether the APPL class profile is used for authorization by setting the checkbox labeled "Use APPL profile to restrict access to the server" on the SAF authorization options panel in the console.

For example, if there is no SAF profile prefix, enter the following RACF commands:

RDEFINE APPL CBS390 UACC(NONE)
PERMIT CBS390 CLASS(APPL) ID(TSCLGP) ACCESS(READ)

And if there is a SAF profile prefix defined as TESTSYS, for example, enter:

RDEFINE APPL TESTSYS UACC(NONE)
PERMIT TESTSYS CLASS(APPL) ID(TSCLGP) ACCESS(READ)

The following EJBROLE profiles are defined for role-based authorization checks if there is no SAF profile prefix and the configuration group is defined as TSTCFG. Note that these are the minimum set of users requiring access to naming and administrative roles when System Authorization Facility (SAF) authorization is selected.

The following roles must be defined for both operating system and application security. Enter the following RACF commands:

RDEFINE EJBROLE administrator UACC(NONE)
RDEFINE EJBROLE monitor      UACC(NONE)
RDEFINE EJBROLE configurator UACC(NONE)
RDEFINE EJBROLE  operator    UACC(NONE)
RDEFINE EJBROLE  deployer     UACC(NONE)
RDEFINE EJBROLE  adminsecuritymanager     UACC(NONE)
RDEFINE EJBROLE  auditor     UACC(NONE)
 PERMIT administrator CLASS(EJBROLE)  ID(TSTCFG) ACCESS(READ)
PERMIT auditor       CLASS(EJBROLE)  ID(TSTCFG) ACCESS(READ)
PERMIT adminsecuritymanager       CLASS(EJBROLE)  ID(TSTCFG) ACCESS(READ)
 /* Setting up EJBRoles Profiles for Naming roles             */
RDEFINE EJBROLE CosNamingRead   UACC(NONE)
PERMIT CosNamingRead  CLASS(EJBROLE)  ID(TSGUEST) ACCESS(READ)
RDEFINE EJBROLE CosNamingWrite  UACC(NONE)
PERMIT CosNamingWrite  CLASS(EJBROLE)  ID(TSGUEST) ACCESS(READ)
RDEFINE EJBROLE CosNamingCreate UACC(NONE)
PERMIT CosNamingCreate  CLASS(EJBROLE)  ID(TSGUEST) ACCESS(READ)
RDEFINE EJBROLE CosNamingDelete UACC(NONE)
PERMIT CosNamingDelete  CLASS(EJBROLE)  ID(TSGUEST) ACCESS(READ)

If there is a SAF profile prefix defined as TESTSYS and the configuration group is defined as TSTCFG, enter the following RACF commands:

RDEFINE EJBROLE TESTSYS.administrator UACC(NONE)
RDEFINE EJBROLE TESTSYS.monitor      UACC(NONE)
RDEFINE EJBROLE TESTSYS.configurator UACC(NONE)
RDEFINE EJBROLE TESTSYS.operator     UACC(NONE)
RDEFINE EJBROLE TESTSYS.deployer      UACC(NONE)
RDEFINE EJBROLE TESTSYS.adminsecuritymanager     UACC(NONE)
RDEFINE EJBROLE TESTSYS.auditor     UACC(NONE)
 PERMIT TESTSYS.administrator CLASS(EJBROLE)  ID(TSTCFG) ACCESS(READ)
PERMIT TESTSYS.auditor       CLASS(EJBROLE)  ID(TSTCFG) ACCESS(READ)
PERMIT TESTSYS.adminsecuritymanager        CLASS(EJBROLE)  ID(TSTCFG) ACCESS(READ)
 /* Setting up EJBRoles Profiles for Naming roles         */
RDEFINE EJBROLE TESTSYS.CosNamingRead   UACC(NONE)
PERMIT TESTSYS.CosNamingRead  CLASS(EJBROLE)  ID(TSGUEST) ACCESS(READ)
RDEFINE EJBROLE TESTSYS.CosNamingWrite  UACC(NONE)
PERMIT TESTSYS.CosNamingWrite  CLASS(EJBROLE)  ID(TSGUEST) ACCESS(READ)
RDEFINE EJBROLE TESTSYS.CosNamingCreate UACC(NONE)
PERMIT TESTSYS.CosNamingCreate  CLASS(EJBROLE)  ID(TSGUEST) ACCESS(READ)
RDEFINE EJBROLE TESTSYS.CosNamingDelete UACC(NONE)
PERMIT TESTSYS.CosNamingDelete  CLASS(EJBROLE)  ID(TSGUEST) ACCESS(READ)

CBIND profile definitions for servers

If there is no SAF profile prefix, enter the following RACF commands:

RDEFINE CBIND CB.BIND.BBO* UACC(NONE)
RDEFINE CBIND CB.BIND.TSTC001 UACC(NONE)
PERMIT CB.BIND.BBO* CLASS(CBIND) ID(TSTCFG) ACCESS(CONTROL)
PERMIT CB.BIND.TSTC001 CLASS(CBIND) ID(TSTCFG) ACCESS(CONTROL)
RDEFINE CBIND CB.BBO* UACC(NONE)
RDEFINE CBIND CB.TSTC001 UACC(NONE)

If there is a SAF profile prefix defined as TESTSYS, enter:

RDEFINE CBIND CB.BIND.TESTSYS.BBO* UACC(NONE)
RDEFINE CBIND CB.BIND.TESTSYS.TSTC001 UACC(NONE)
PERMIT CB.BIND.TESTSYS.BBO* CLASS(CBIND) ID(TSTCFG) ACCESS(CONTROL)
PERMIT CB.BIND.TESTSYS.TSTC001 CLASS(CBIND) ID(TSTCFG) ACCESS(CONTROL)
RDEFINE CBIND CB.TESTSYS.BBO* UACC(NONE)
RDEFINE CBIND CB.TESTSYS.TSTC001 UACC(NONE)


Related concepts

  • WAS security for z/OS

  • z/OS Profile Management Tool security settings
  • z/OS security options