[z/OS]

Controlling access to console users when using a Local OS Registry

Adding console users and authorizing them for a cell involves adjusting the user registry and authorization settings. A user registry custom property governs the form of authorization of console users. Regardless of the form of authorization used, the outcome is that an MVS™ user ID for the WebSphere® administrator identity is able to access all administrative console functions and use the administrative scripting tool when security is first enabled.

About this task

If non-local operating system registries and System Authorization Facility (SAF) authorization are used, you must use identity mapping to map WebSphere Application Server identities to SAF user IDs. To have the console roles managed by SAF authorization, you must turn on SAF authorization for the cell. To enable SAF authorization, click Security > Global security > External Authorization providers >, and click System Authorization Facility (SAF) authorization to enable SAF authorization. If you enable the option, the SAF EJBROLE profiles are used to authorize console users. Otherwise, the administrative console, by default, is used to authorize console users and groups.

Regardless of which type of registry or authorization setting is chosen, the configuration process authorizes the WebSphere configuration group (to which all WebSphere Server identities are permitted), and an MVS user ID for the WebSphere administrator identity to do the following tasks:
  • Access all administrative console functions
  • Use the administrative scripting tool when security is first enabled
When SAF authorization is selected on z/OS®, the special subject of server is not used as the administrative user ID. (Note that using the WebSphere z/OS Profile Management Tool or the zpmt command generates an administrative user, who is a member of the administrative group, which can be used for authorization.)

Using SAF Authorization to control access to administrative functions

When SAF Authorization is selected during systems customization, administrative EJBROLE profiles for all administrative roles are defined by the RACF® jobs generated using the z/OS Profile Management Tool. If SAF Authorization is selected subsequently, issue the following RACF commands (or equivalent security server commands) to enable your servers and administrator to administer WebSphere Application Server:
Note: You can additionally specify a value for the SAF profile prefix (previously referred to as the z/OS security domain).
RDEFINE EJBROLE (optionalSAFProfilePrefix.)administrator UACC(NONE)
RDEFINE EJBROLE (optionalSAFProfilePrefix.)monitor       UACC(NONE)
RDEFINE EJBROLE (optionalSAFProfilePrefix.)configurator  UACC(NONE)
RDEFINE EJBROLE (optionalSAFProfilePrefix.)operator      UACC(NONE)
RDEFINE EJBROLE (optionalSAFProfilePrefix.)deployer      UACC(NONE)
RDEFINE EJBROLE (optionalSAFProfilePrefix.)adminsecuritymanager      UACC(NONE)
RDEFINE EJBROLE (optionalSAFProfilePrefix.)auditor      UACC(NONE)

PERMIT (optionalSAFProfilePrefix.)administrator CLASS(EJBROLE) ID(adminGroup) ACCESS(READ)
PERMIT (optionalSAFProfilePrefix.)monitor       CLASS(EJBROLE) ID(monitorGroup) ACCESS(READ)
PERMIT (optionalSAFProfilePrefix.)configurator  CLASS(EJBROLE) ID(configuratorGroup) ACCESS(READ)
PERMIT (optionalSAFProfilePrefix.)operator      CLASS(EJBROLE) ID(operatorGroup) ACCESS(READ)
PERMIT (optionalSAFProfilePrefix.)deployer      CLASS(EJBROLE) ID(deployerGroup) ACCESS(READ)
PERMIT (optionalSAFProfilePrefix.)adminsecuritymanager  CLASS(EJBROLE) ID(adminSecurityGroup) ACCESS(READ)
PERMIT (optionalSAFProfilePrefix.)auditor  CLASS(EJBROLE) ID(auditorGroup) ACCESS(READ)
If additional users require access to administrative functions, you can permit a user to any of the previous roles by issuing the following RACF command: 
PERMIT (optionalSAFProfilePrefix.)rolename   CLASS(EJBROLE)  ID(mvsid) ACCESS(READ)
You can give a user access to all administrative functions by connecting it to the configuration group: 
CONNECT  mvsid  GROUP(configGroup)

Using WebSphere Authorization to control access to administrative functions:

To assign users to administrative roles, complete the following steps.

Procedure

  1. In the administrative console, expand System Administration > Console settings.
  2. Click Console Users > Add or Console Groups > Add.
  3. Add the user identities as desired.
    For more information on console user roles, see Administrative roles and naming service authorization.
    Note:
    • When SAF authorization is in effect, WebSphere Application Server authorization, as specified in the administrative console, is ignored.
    • SAF role names are case-sensitive.