![[z/OS]](../images/ngzos.svg)
z/OS Profile Management Tool security settings
The z/OS® Profile Management Tool allows you to specify System Authorization Facility (SAF) profile prefixes (previously referred to as z/OS security domains) for your WebSphere® Application Server for z/OS configuration.
Note:
- You must set up a base Application Server using the WebSphere z/OS Profile Management Tool or the zpmt command before using the Application Server to set up a WebSphere Application Server Network Deployment node, which is managed by the deployment manager process (dmgr). It is critical that you LOAD saved environment variables from the base Application Server into the deployment manager node that federates the base node. Do this before performing security customization on the deployment manager node.
- If the APPL class is active and you have defined a profile for WebSphere Application Server, make sure that all z/OS identities using WebSphere Application Server services have READ permission to the WebSphere Application Server APPL profile. This includes all WebSphere Application Server identities, WebSphere Application Server unauthenticated identities, WebSphere Application Server administrative identities, user IDs based on role-to-user mappings, and all user identities for system users. If you have not specified a SAF profile prefix, the APPL profile used is CBS390 or the name used as the SAF profile prefix. If you have specified a SAF profile prefix, the APPL profile used. When adding an administrator to the administrative console using local operating system security, if the APPL class is activated, the administrator's user ID must be authorized to the CBS390 (or the name specified as the SAF profile prefix) APPL class for RACF® as well. If the administrator's user ID is not authorized to CBS390 APPL, message BBOS0108E is issued, indicating that the credential-handling function (RunAsGetSpecCred) failed in routine because the user is not authorized.
- Once a profile is created, it is possible to control checking the APPL class profile from the administrative console by navigating to the SAF authorization options panel and by configuring the check box labeled Use APPL profile to restrict access to the server.