The applied security model is the so called "Declarative Security", which is the expression of application security external to the application. It allows runtime configuration of application security without recoding the application.

The web application configures Declarative Security in its unique deployment descriptor, web.xml. This is a required XML-formatted configuration file (also called the deployment descriptor) found in each web application's WEB-INF directory.

Tomcat uses role-based authorization to manage access. With this model, access permissions are granted to an abstract entity called a security role, and access is allowed only to users or groups of users, who have that role. The deployment descriptor specifies the type of access granted to each role, but does not specify the role to user or group mappings. That's done in the user repository, which is typically another XML-formatted file in the server's production environment.

The logon user-id from where Tomcat is started is what penetrates to DFSMSrmm. This user-id must have appropriate DFSMSrmm authorizations set in SAF/RACF.