[z/OS]

Special considerations for controlling access to naming roles using SAF authorization

There are special considerations in WebSphere® Application Server for controlling access to naming roles.

When you are assigning users to naming roles you can use either System Authorization Facility (SAF) authorization (EJBROLE profiles) or WebSphere Application Server authorization to control access to naming roles. To enable SAF authorization, see z/OS System Authorization Facility authorization for more information. For a discussion of the CosNaming roles, see Administrative console and naming service authorization. You can also refer to Assigning users to naming roles.

When SAF authorization is enabled, SAF EJBROLE profiles are used to control access to CosNaming functions. If you selected Use a z/OS® security product during profile creation in the z/OS Profile Management Tool and you additionally specify a value for the SAF profile prefix (previously referred to as the z/OS security domain), then the following CosNaming roles were defined by the customization jobs: 
RDEFINE EJBROLE (optionalSecurityDomainName.)CosNamingRead 
 UACC(READ)
RDEFINE EJBROLE (optionalSecurityDomainName.)CosNamingWrite
 UACC(NONE)
RDEFINE EJBROLE (optionalSecurityDomainName.)CosNamingCreate
 UACC(NONE)
RDEFINE EJBROLE (optionalSecurityDomainName.)CosNamingDelete
 UACC(NONE)

PERMIT (optionalSecurityDomainName.)CosNamingRead  CLASS(EJBROLE)
 ID(WSGUEST) ACCESS(READ)
PERMIT (optionalSecurityDomainName.)CosNamingWrite  CLASS(EJBROLE)
 ID(WSCFG1) ACCESS(READ)
PERMIT (optionalSecurityDomainName.)CosNamingCreate  CLASS(EJBROLE)
 ID(WSCFG1) ACCESS(READ)
PERMIT (optionalSecurityDomainName.)CosNamingDelete  CLASS(EJBROLE) 
 ID(WSCFG1) ACCESS(READ)

If you decide, at a future date, to enable SAF authorization, you must issue these RACF® commands to enable proper WebSphere Application Server operation. Change the value WSGUEST if you have chosen a different unauthenticated user ID. Change the value WSCFG1 if you have chosen a different configuration group. WSGUEST must be given explicit READ access because it is a restricted userid.

The default access granted by the customization job permits all authenticated users to read the name space. This type of authorizations might be a broader level of authority than you want to provide. Minimally, you must enable the configuration group for WebSphere Application Server (servers and administrators) to have read access to all of the profiles and permit all WebSphere Application Server for z/OS clients to have read access to the CosNamingRead profile.

If additional users require access to CosNaming roles, you can permit a user to have any of the previous roles, as indicated, by issuing the following RACF command: 
PERMIT (optionalSAFProfilePrefix.)rolename CLASS(EJBROLE) ID(mvsid) ACCESS(READ)

When SAF authorization is not enabled, WebSphere Application Server authorization and the administrative console are used to control access to CosNaming functions.

For information on using WebSphere Application Server authorization to control access to naming roles, refer to Assigning users to naming roles.