(ZOS) Controlling access to console users when using a Local OS Registry
Add console users and authorizing them for a cell involves adjusting the user registry and authorization settings. A user registry custom property governs the form of authorization of console users. Regardless of the form of authorization used, the outcome is an MVS™ user ID for the WebSphere administrator identity is able to access all administrative console functions and use the administrative scripting tool when security is first enabled.
If non-local operating system registries and System Authorization Facility (SAF) authorization are used, we must use identity mapping to map WAS identities to SAF user IDs. To have the console roles managed by SAF authorization, we must turn on SAF authorization for the cell. To enable SAF authorization, click...
Security > Global security > External Authorization providers > System Authorization Facility (SAF) authorization
If we enable the option, the SAF EJBROLE profiles are used to authorize console users. Otherwise, the administrative console, by default, is used to authorize console users and groups.
Regardless of which type of registry or authorization setting is chosen, the configuration process authorizes the WebSphere configuration group (to which all WebSphere Server identities are permitted), and an MVS user ID for the WebSphere administrator identity to do the following tasks:
- Access all administrative console functions
- Use the administrative scripting tool when security is first enabled
When SAF authorization is selected on z/OS, the special subject of server is not used as the administrative user ID. (Note that using the WebSphere z/OS Profile Management Tool or the zpmt command generates an administrative user, who is a member of the administrative group, which can be used for authorization.)
Use SAF Authorization to control access to administrative functions
When SAF Authorization is selected during systems customization, administrative EJBROLE profiles for all administrative roles are defined by the RACF jobs generated using the z/OS Profile Management Tool. If SAF Authorization is selected subsequently, issue the following RACF commands (or equivalent security server commands) to enable the servers and administrator to administer WAS:
We can additionally specify a value for the SAF profile prefix (previously referred to as the z/OS security domain).
RDEFINE EJBROLE (optionalSAFProfilePrefix.)administrator UACC(NONE) RDEFINE EJBROLE (optionalSAFProfilePrefix.)monitor UACC(NONE) RDEFINE EJBROLE (optionalSAFProfilePrefix.)configurator UACC(NONE) RDEFINE EJBROLE (optionalSAFProfilePrefix.)operator UACC(NONE) RDEFINE EJBROLE (optionalSAFProfilePrefix.)deployer UACC(NONE) RDEFINE EJBROLE (optionalSAFProfilePrefix.)adminsecuritymanager UACC(NONE) RDEFINE EJBROLE (optionalSAFProfilePrefix.)auditor UACC(NONE) PERMIT (optionalSAFProfilePrefix.)administrator CLASS(EJBROLE) ID(adminGroup) ACCESS(READ) PERMIT (optionalSAFProfilePrefix.)monitor CLASS(EJBROLE) ID(monitorGroup) ACCESS(READ) PERMIT (optionalSAFProfilePrefix.)configurator CLASS(EJBROLE) ID(configuratorGroup) ACCESS(READ) PERMIT (optionalSAFProfilePrefix.)operator CLASS(EJBROLE) ID(operatorGroup) ACCESS(READ) PERMIT (optionalSAFProfilePrefix.)deployer CLASS(EJBROLE) ID(deployerGroup) ACCESS(READ) PERMIT (optionalSAFProfilePrefix.)adminsecuritymanager CLASS(EJBROLE) ID(adminSecurityGroup) ACCESS(READ) PERMIT (optionalSAFProfilePrefix.)auditor CLASS(EJBROLE) ID(auditorGroup) ACCESS(READ)If additional users require access to administrative functions, we can permit a user to any of the previous roles by issuing the following RACF command:PERMIT (optionalSAFProfilePrefix.)rolename CLASS(EJBROLE) ID(mvsid) ACCESS(READ)We can give a user access to all administrative functions by connecting it to the configuration group:
CONNECT mvsid GROUP(configGroup)Use WebSphere Authorization to control access to administrative functions:
To assign users to administrative roles.
Tasks
- In the administrative console, expand System Administration > Console settings.
- Click Console Users > Add or Console Groups > Add.
- Add the user identities as desired. For more information on console user roles, see Administrative roles and naming service authorization.
- When SAF authorization is in effect, WAS authorization, as specified in the administrative console, is ignored.
- SAF role names are case-sensitive.
Related:
Administrative roles and naming service authorization Summary of controls z/OS Profile Management Tool security settings