(zos)When to use application Synch to OS Thread Allowed
Specify application Synch to OS Thread Allowed to use the Java thread identity to access the non-WebSphere-managed resources accessed by the application.
As a result of exploiting the application Synch to OS Thread Allowed support, access control privileges associated with the current Java thread identity (not the access control privileges for the server identity) are applied when accessing these resources. (An example of a non-WebSphere-managed resource is the file system.)
Use application Synch to OS Thread Allowed to control file system access based on the Java thread identity. The default Java thread identity is the client identity, which is the user who invoked the application. The Java EE RunAS role deployment descriptor settings can override this default to choose from other choices. These choices include the server identity or the specified role, such as a user ID (chosen by the application server) configured to be in the specified role. By running with the Java thread identity and specifying Synch to OS Thread Allowed, all file system access control decisions are based on the access privileges of the Java thread identity.
Application Synch to OS Thread Allowed is not relevant to container managed persistence (CMP) entity beans but Connection Management RunAs Identity Enabled might be relevant, depending on the JDBC Provider. Refer to the following:
- Deploy secured applications and Develop applications that use programmatic security for details on WebSphere role-based security.
- Connection Manager RunAs Identity Enabled and system security for more information for CMP entity beans.
- JEE identity and an operating system thread identity for more information about identities.
Related concepts
Java thread identity and an operating system thread identity Application Synch to OS Thread Allowed Connection Manager RunAs Identity Enabled and system security JEE identity and an operating system thread identity