(zos)Special considerations for controlling access to naming roles using SAF authorization
There are special considerations in WebSphere Application Server for controlling access to naming roles.
When you are assigning users to naming roles we can use either System Authorization Facility (SAF) authorization (EJBROLE profiles) or WebSphere Application Server authorization to control access to naming roles. To enable SAF authorization, see z/OS System Authorization Facility authorization for more information. For a discussion of the CosNaming roles, see Administrative console and naming service authorization. We can also refer to Assigning users to naming roles.
When SAF authorization is enabled, SAF EJBROLE profiles are used to control access to CosNaming functions. If we selected Use a z/OS security product during profile creation in the z/OS Profile Management Tool and we additionally specify a value for the SAF profile prefix (previously referred to as the z/OS security domain), then the following CosNaming roles were defined by the customization jobs:
RDEFINE EJBROLE (optionalSecurityDomainName.)CosNamingRead UACC(READ) RDEFINE EJBROLE (optionalSecurityDomainName.)CosNamingWrite UACC(NONE) RDEFINE EJBROLE (optionalSecurityDomainName.)CosNamingCreate UACC(NONE) RDEFINE EJBROLE (optionalSecurityDomainName.)CosNamingDelete UACC(NONE) PERMIT (optionalSecurityDomainName.)CosNamingRead CLASS(EJBROLE) ID(WSGUEST) ACCESS(READ) PERMIT (optionalSecurityDomainName.)CosNamingWrite CLASS(EJBROLE) ID(WSCFG1) ACCESS(READ) PERMIT (optionalSecurityDomainName.)CosNamingCreate CLASS(EJBROLE) ID(WSCFG1) ACCESS(READ) PERMIT (optionalSecurityDomainName.)CosNamingDelete CLASS(EJBROLE) ID(WSCFG1) ACCESS(READ)If we decide, at a future date, to enable SAF authorization, issue these RACF commands to enable proper WebSphere Application Server operation. Change the value WSGUEST if we have chosen a different unauthenticated user ID. Change the value WSCFG1 if we have chosen a different configuration group. WSGUEST must be given explicit READ access because it is a restricted userid.
The default access granted by the customization job permits all authenticated users to read the name space. This type of authorizations might be a broader level of authority than to provide. Minimally, enable the configuration group for WebSphere Application Server (servers and administrators) to have read access to all of the profiles and permit all WebSphere Application Server for z/OS clients to have read access to the CosNamingRead profile.
If additional users require access to CosNaming roles, we can permit a user to have any of the previous roles, as indicated, by issuing the following RACF command:
PERMIT (optionalSAFProfilePrefix.)rolename CLASS(EJBROLE) ID(mvsid) ACCESS(READ)
When SAF authorization is not enabled, WebSphere Application Server authorization and the console are used to control access to CosNaming functions.
For information on using WebSphere Application Server authorization to control access to naming roles, refer to Assigning users to naming roles.
Related concepts
Administrative roles and naming service authorization
(zos) z/OS Profile Management Tool security settings
(zos) Summary of controls
Global security settings