Required SAF permission when components use the REST Handler framework
z/OS® users of System Authorization Facility (SAF) with Liberty components that are built on the REST Handler framework must grant the allAuthenticatedUsers permission.
The following sample RACF® commands grant the allAuthenticatedUsers permission for the wlpuser1 ID:
RDEF EJBROLE BBGZDFLT.com.ibm.ws.management.security.resource.allAuthenticatedUsers
OWNER(SYS1) UACC(NONE)
PE BBGZDFLT.com.ibm.ws.management.security.resource.allAuthenticatedUsers
CLASS(EJBROLE) ID(wlpuser1) ACCESS(READ)
The following command grants access to all the authenticated users:
RDEF EJBROLE BBGZDFLT.com.ibm.ws.management.security.resource.allAuthenticatedUsers
OWNER(SYS1) UACC(READ)
An unauthenticated user must be defined with the RESTRICTED
option as described
in Setting up the System Authorization Facility (SAF) unauthenticated user so that it cannot access any role with
UACC(READ)
access.
The Liberty components most directly affected by this requirement are:
- JMX REST Connector
- API Discovery (Swagger UI)
- Admin Center
- Collective APIs
- Batch