System Authorization Facility (SAF) delegation
System Authorization Facility (SAF) delegation minimizes the need to store user Ids and passwords in many locations in the configuration.
WebSphere® Application Server supports the
function of delegation. Delegation allows a user identity to be represented
as a Java™ EE role. For example, you can establish
an application to be run with a RunAs role of RoleA. RoleA can
then be mapped as UserA. WebSphere Application
Server then establishes the identity context as UserA, and RoleA is
defined in the deployment descriptor. Within such an arrangement in
place, SAF delegation uses the specified Java EE
role, RoleA, to determine the thread identity and then synchronizes
processing with the user Id, UserA . UserA is specified
in the SAF EJBROLE profile's APPLDATA value of the RDEFINE RACF® command.
The REDEFINE command in this example would be as follows:
RDEFINE EJBROLE rolea UACC(NONE) APPLDATA(usera)
SAF delegation requires that SAF authorization be enabled. The SAF security administrator would be responsible for the assignment of Users to the role. See z/OS System Authorization Facility authorization for the steps that permit SAF delegation.
Note: If you have SAF
delegation enabled and Kerberos is your active authentication mechanism,
when the application requests the run-as role, the runAs subject that
is created on the server does not contain the Kerberos credential.
As a result, the request falls back to LTPA.