(ZOS) Special considerations for controlling access to naming roles using SAF authorization
There are special considerations in WebSphere Application Server for controlling access to naming roles.
When we are assigning users to naming roles we can use either System Authorization Facility (SAF) authorization (EJBROLE profiles) or WAS authorization to control access to naming roles. To enable SAF authorization, see z/OS System Authorization Facility authorization for more information. For a discussion of the CosNaming roles, see Administrative console and naming service authorization. We can also refer to Assigning users to naming roles.
When SAF authorization is enabled, SAF EJBROLE profiles are used to control access to CosNaming functions. If we selected Use a z/OS security product during profile creation in the z/OS Profile Management Tool and we additionally specify a value for the SAF profile prefix (previously referred to as the z/OS security domain), then the following CosNaming roles were defined by the customization jobs:
RDEFINE EJBROLE (optionalSecurityDomainName.)CosNamingRead UACC(READ) RDEFINE EJBROLE (optionalSecurityDomainName.)CosNamingWrite UACC(NONE) RDEFINE EJBROLE (optionalSecurityDomainName.)CosNamingCreate UACC(NONE) RDEFINE EJBROLE (optionalSecurityDomainName.)CosNamingDelete UACC(NONE) PERMIT (optionalSecurityDomainName.)CosNamingRead CLASS(EJBROLE) ID(WSGUEST) ACCESS(READ) PERMIT (optionalSecurityDomainName.)CosNamingWrite CLASS(EJBROLE) ID(WSCFG1) ACCESS(READ) PERMIT (optionalSecurityDomainName.)CosNamingCreate CLASS(EJBROLE) ID(WSCFG1) ACCESS(READ) PERMIT (optionalSecurityDomainName.)CosNamingDelete CLASS(EJBROLE) ID(WSCFG1) ACCESS(READ)If we decide, at a future date, to enable SAF authorization, we must issue these RACF commands to enable proper WAS operation. Change the value WSGUEST if we have chosen a different unauthenticated user ID. Change the value WSCFG1 if we have chosen a different configuration group. WSGUEST must be given explicit READ access because it is a restricted userid.
The default access granted by the customization job permits all authenticated users to read the name space. This type of authorizations might be a broader level of authority than we want to provide. Minimally, enable the configuration group for WAS (servers and administrators) to have read access to all of the profiles and permit all WAS for z/OS clients to have read access to the CosNamingRead profile.
If additional users require access to CosNaming roles, we can permit a user to have any of the previous roles, as indicated, by issuing the following RACF command:
PERMIT (optionalSAFProfilePrefix.)rolename CLASS(EJBROLE) ID(mvsid) ACCESS(READ)When SAF authorization is not enabled, WAS authorization and the administrative console are used to control access to CosNaming functions.
For information on using WAS authorization to control access to naming roles, refer to Assigning users to naming roles.
Related:
Administrative roles and naming service authorization (ZOS) z/OS Profile Management Tool security settings (ZOS) Summary of controls Global security settings