![[z/OS]](../images/ngzos.svg)
System Authorization Facility for fine-grained administrative authorization
When fine-grained administrative security is used, the administrative resources are partitioned to multiple authorization groups. Each authorization group contains its own authorization table, which represents the user-to-administrator role mapping for that authorization group.
The same set of administrative roles exist for all of the authorization groups. However, users mapped to the administrative roles can differ. There are still cell level administrative roles that represent access to all of the resources within the cell.
When Resource Access Control Facility (RACF®) or System Authorization Facility (SAF) is used to configure user-to-role mapping, one EJBROLE profile for each role in each authorization group must be defined, as well as the previously defined EJBROLE profiles for the cell level administrator roles. There are six profiles defined in the RACF EJBROLE class for administrative authorization. They are administrator, configurator, monitor, operator, deployer and adminsecuritymanager.
Authorization groups can be created using the WebSphere® Application Server configuration tool (wsadmin). After creating an authorization group, user-to-role mapping within the authorization group can also be performed using wsadmin. However, when RACF is used to store the user-to-administrative role mapping, the RACF administrator must perform additional steps to map the user-to-role mappings. For each administrator role within the newly-created authorization group, an EJBROLE profile must be defined. Users must then be granted access to the newly-created EJBROLE profiles.
| Group | User-to-role mapping | User-to-role mapping | User-to-role mapping | User-to-role mapping | User-to-role mapping | User-to-role mapping |
|---|---|---|---|---|---|---|
| group1 | administrator=user1 | configurator | operator | monitor | deployer=user3 | adminsecuritymanager |
| group2 | administrator=user2 | configurator | operator=user4 | monitor | deployer | adminsecuritymanager |
/* activate EJBROLE class */
SETROPTS CLASSACT(EJBROLE)
/* Defining EJBROLE profiles for admin roles in group1 and group2 */
/* define the roles in RACF for group1 */
RDEFINE EJBROLE domainName.group1.administrator UACC(NONE)
RDEFINE EJBROLE domainName.group1.configurator UACC(NONE)
RDEFINE EJBROLE domainName.group1.operator UACC(NONE)
RDEFINE EJBROLE domainName.group1.monitor UACC(NONE)
RDEFINE EJBROLE domainName.group1.deployer UACC(NONE)
RDEFINE EJBROLE domainName.group1.adminsecuritymanager UACC(NONE)
/* define the roles in RACF for group2 */
RDEFINE EJBROLE domainName.group2.administrator UACC(NONE)
RDEFINE EJBROLE domainName.group2.configurator UACC(NONE)
RDEFINE EJBROLE domainName.group2.operator UACC(NONE)
RDEFINE EJBROLE domainName.group2.monitor UACC(NONE)
RDEFINE EJBROLE domainName.group2.deployer UACC(NONE)
RDEFINE EJBROLE domainName.group2.adminsecuritymanager UACC(NONE)
/* Mapping users to roles in group1 and group2 */
/* map user1 to administrator role in group1 */
PERMIT domainName.group1.administrator CLASS(EJBROLE) ID(USER1) ACCESS(READ)
/* map user3 to deployer role in group1 */
PERMIT domainName.group1.deployer CLASS(EJBROLE) ID(USER3) ACCESS(READ)
/* map user2 to administrator role in group2 */
PERMIT domainName.group2.administrator CLASS(EJBROLE) ID(USER2) ACCESS(READ)
/* map user4 to operator role in group2 */
PERMIT domainName.group2.operator CLASS(EJBROLE) ID(USER4) ACCESS(READ)
/* refresh the EJBROLE class in RACF */
SETROPTS RACLIST(EJBROLE) REFRESH" where domainName represents the security domain of the WebSphere Application Server cell.
Note that the EJBROLE profile for all of the roles in each authorization group should be created regardless of whether any user is mapped to that role.