Server process authorization checking

(zos)
Server process authorization checking

We can specify specific access restrictions to z/OS resources.
To control access to WebSphere Application Server for z/OS resources:

As a general rule, give greater authority to controllers and less authority to servants.

of trust and authority for regions.
This table indicates the level of trust and authority for regions.
Region Level of trust and access authority

Controller

Contains WebSphere Application Server for z/OS system code.

Trusted, runs APF-authorized

Contains communication ports and manipulation of System Authorization Facility (SAF) client identities

Servant

Contains WebSphere Application Server for z/OS system code, application code, and pluggable service providers (such as jdbc drivers)

Supports Java 2 Security to protect sensitive data and system services

Untrusted

Regarding the WAS for z/OS run-time clusters, the general rule is to give less authority to the location service daemon, and greater authority to the node, as explained in the following table:

Server for z/OS run-time cluster control and servants .
This table lists the required authorities for z/OS run-time cluster control and servants.
Run-time Cluster Region Required Authorities

Location service daemon Control

STARTED class

Access to Workload Manager (WLM) services

Access to DNS

OPERCMDS access to START, STOP, CANCEL, FORCE, and MODIFY other clusters

IRR.DIGTCERT.LIST and IRR.DIGCERT.LISTRING in FACILITY (SSL)

Node Control STARTED class
Controller Control

SSL

Kerberos

READ authority to the SERVER class,

OPERCMDS access to START, STOP, CANCEL, FORCE and MODIFY other servers

Servant Control The following classes:

OTMA

SERVER

DSNR,

DATASET

SURROGATE

STARTED

LOGSTREEAM

Remember to protect the Resource Recovery Services (RRS) log streams. By default, UACC is READ.

Protect the WAS for z/OS properties XML files, especially if they contain passwords. For more information, see the WAS variables in the console or the documentation.

dmgr also needs permission to start and stop servers.

Related concepts

Cluster authorizations

Related tasks

Use CBIND to control access to clusters

Run-time Cluster	Region	Required Authorities
Location service daemon	Control	STARTED class Access to Workload Manager (WLM) services Access to DNS OPERCMDS access to START, STOP, CANCEL, FORCE, and MODIFY other clusters IRR.DIGTCERT.LIST and IRR.DIGCERT.LISTRING in FACILITY (SSL)
Node	Control	STARTED class
Controller	Control	SSL Kerberos READ authority to the SERVER class, OPERCMDS access to START, STOP, CANCEL, FORCE and MODIFY other servers
Servant	Control	The following classes: OTMA SERVER DSNR, DATASET SURROGATE STARTED LOGSTREEAM