Controlling access to console users when using a Local OS Registry
Adding console users and authorizing them for a cell involves adjusting the user registry and authorization settings. A user registry custom property governs the form of authorization of console users. Regardless of the form of authorization used, the outcome is that an MVS™ user ID for the WebSphere® administrator identity is able to access all administrative console functions and use the administrative scripting tool when security is first enabled.
About this task
If non-local operating system registries and System Authorization Facility (SAF) authorization are used, you must use identity mapping to map WebSphere Application Server identities to SAF user IDs. To have the console roles managed by SAF authorization, you must turn on SAF authorization for the cell. To enable SAF authorization, click Security > Global security > External Authorization providers >, and click System Authorization Facility (SAF) authorization to enable SAF authorization. If you enable the option, the SAF EJBROLE profiles are used to authorize console users. Otherwise, the administrative console, by default, is used to authorize console users and groups.
- Access all administrative console functions
- Use the administrative scripting tool when security is first enabled
Using SAF Authorization to control access to administrative functions
RDEFINE EJBROLE (optionalSAFProfilePrefix.)administrator UACC(NONE) RDEFINE EJBROLE (optionalSAFProfilePrefix.)monitor UACC(NONE) RDEFINE EJBROLE (optionalSAFProfilePrefix.)configurator UACC(NONE) RDEFINE EJBROLE (optionalSAFProfilePrefix.)operator UACC(NONE) RDEFINE EJBROLE (optionalSAFProfilePrefix.)deployer UACC(NONE) RDEFINE EJBROLE (optionalSAFProfilePrefix.)adminsecuritymanager UACC(NONE) RDEFINE EJBROLE (optionalSAFProfilePrefix.)auditor UACC(NONE) PERMIT (optionalSAFProfilePrefix.)administrator CLASS(EJBROLE) ID(adminGroup) ACCESS(READ) PERMIT (optionalSAFProfilePrefix.)monitor CLASS(EJBROLE) ID(monitorGroup) ACCESS(READ) PERMIT (optionalSAFProfilePrefix.)configurator CLASS(EJBROLE) ID(configuratorGroup) ACCESS(READ) PERMIT (optionalSAFProfilePrefix.)operator CLASS(EJBROLE) ID(operatorGroup) ACCESS(READ) PERMIT (optionalSAFProfilePrefix.)deployer CLASS(EJBROLE) ID(deployerGroup) ACCESS(READ) PERMIT (optionalSAFProfilePrefix.)adminsecuritymanager CLASS(EJBROLE) ID(adminSecurityGroup) ACCESS(READ) PERMIT (optionalSAFProfilePrefix.)auditor CLASS(EJBROLE) ID(auditorGroup) ACCESS(READ)If additional users require access to administrative functions, you can permit a user to any of the previous roles by issuing the following RACF command:
PERMIT (optionalSAFProfilePrefix.)rolename CLASS(EJBROLE) ID(mvsid) ACCESS(READ)
CONNECT mvsid GROUP(configGroup)
Using WebSphere Authorization to control access to administrative functions:
To assign users to administrative roles, complete the following steps.