+

Search Tips   |   Advanced Search

(ZOS) Controlling access to console users when using a Local OS Registry

Add console users and authorizing them for a cell involves adjusting the user registry and authorization settings. A user registry custom property governs the form of authorization of console users. Regardless of the form of authorization used, the outcome is an MVS™ user ID for the WebSphere administrator identity is able to access all administrative console functions and use the administrative scripting tool when security is first enabled.

If non-local operating system registries and System Authorization Facility (SAF) authorization are used, we must use identity mapping to map WAS identities to SAF user IDs. To have the console roles managed by SAF authorization, we must turn on SAF authorization for the cell. To enable SAF authorization, click...

If we enable the option, the SAF EJBROLE profiles are used to authorize console users. Otherwise, the administrative console, by default, is used to authorize console users and groups.

Regardless of which type of registry or authorization setting is chosen, the configuration process authorizes the WebSphere configuration group (to which all WebSphere Server identities are permitted), and an MVS user ID for the WebSphere administrator identity to do the following tasks:

When SAF authorization is selected on z/OS, the special subject of server is not used as the administrative user ID. (Note that using the WebSphere z/OS Profile Management Tool or the zpmt command generates an administrative user, who is a member of the administrative group, which can be used for authorization.)

Use SAF Authorization to control access to administrative functions

When SAF Authorization is selected during systems customization, administrative EJBROLE profiles for all administrative roles are defined by the RACF jobs generated using the z/OS Profile Management Tool. If SAF Authorization is selected subsequently, issue the following RACF commands (or equivalent security server commands) to enable the servers and administrator to administer WAS:

We can additionally specify a value for the SAF profile prefix (previously referred to as the z/OS security domain).

RDEFINE EJBROLE (optionalSAFProfilePrefix.)administrator UACC(NONE)
RDEFINE EJBROLE (optionalSAFProfilePrefix.)monitor       UACC(NONE)
RDEFINE EJBROLE (optionalSAFProfilePrefix.)configurator  UACC(NONE)
RDEFINE EJBROLE (optionalSAFProfilePrefix.)operator      UACC(NONE)
RDEFINE EJBROLE (optionalSAFProfilePrefix.)deployer      UACC(NONE)
RDEFINE EJBROLE (optionalSAFProfilePrefix.)adminsecuritymanager      UACC(NONE)
RDEFINE EJBROLE (optionalSAFProfilePrefix.)auditor      UACC(NONE)

PERMIT (optionalSAFProfilePrefix.)administrator CLASS(EJBROLE) ID(adminGroup) ACCESS(READ)
PERMIT (optionalSAFProfilePrefix.)monitor       CLASS(EJBROLE) ID(monitorGroup) ACCESS(READ)
PERMIT (optionalSAFProfilePrefix.)configurator  CLASS(EJBROLE) ID(configuratorGroup) ACCESS(READ)
PERMIT (optionalSAFProfilePrefix.)operator      CLASS(EJBROLE) ID(operatorGroup) ACCESS(READ)
PERMIT (optionalSAFProfilePrefix.)deployer      CLASS(EJBROLE) ID(deployerGroup) ACCESS(READ)
PERMIT (optionalSAFProfilePrefix.)adminsecuritymanager  CLASS(EJBROLE) ID(adminSecurityGroup) ACCESS(READ)
PERMIT (optionalSAFProfilePrefix.)auditor  CLASS(EJBROLE) ID(auditorGroup) ACCESS(READ)
If additional users require access to administrative functions, we can permit a user to any of the previous roles by issuing the following RACF command:
PERMIT (optionalSAFProfilePrefix.)rolename   CLASS(EJBROLE)  ID(mvsid) ACCESS(READ)

We can give a user access to all administrative functions by connecting it to the configuration group:

CONNECT  mvsid  GROUP(configGroup)

Use WebSphere Authorization to control access to administrative functions:

To assign users to administrative roles.


Tasks

  1. In the administrative console, expand System Administration > Console settings.

  2. Click Console Users > Add or Console Groups > Add.

  3. Add the user identities as desired. For more information on console user roles, see Administrative roles and naming service authorization.

    • When SAF authorization is in effect, WAS authorization, as specified in the administrative console, is ignored.
    • SAF role names are case-sensitive.


Related:

  • Administrative roles and naming service authorization
  • Summary of controls
  • z/OS Profile Management Tool security settings