+

Search Tips   |   Advanced Search

(ZOS) System Authorization Facility for role-based authorization

There are three choices we have when assigning roles: (1) WebSphere Application Server authorization, in which authorization management is performed within the WebSphere Administration using the Security role to user/group mapping panel of the administrative console. (2) The System Authorization Facility (SAF) for role-based authorization (WebSphere Authorization Facility for z/OS only option), which uses SAF authorization for Java 2 Platform Enterprise Edition (J2EE) roles. (3) External Authorization Provider using the pluggable JACC interfaces. When WAS is configured to use SAF Authorization, the authorization management is performed using SAF management facilities and the user or group to J2EE role Management within WebSphere Administration is ignored. SAF class of EJBROLE is used (for example, using the RACF EJBROLE profile) to control access by a client to J2EE roles in EJB and web applications, including the WAS administrative console application.

Important considerations when using SAF authorization: When we select SAF for authorization, there are several functional implications to subsequent authorization operations needed to consider:

When we use SAF authorization, to make sure any changes in SAF to a user or group membership become effective immediately, call the purgeUserFromAuthCache SecurityAdmin mbean method for the modified user. Otherwise, the changes become effective when the cache is refreshed on a periodic basis. As an alternative, we can restart the server.

When SAF authorization is enabled, SAF EJBROLE profiles are used to authorize Java EE roles. For non-local operating system registries, identity mapping must be in place to map WAS identities to SAF identities.

To enable SAF authorization, see z/OS System Authorization Facility authorization for more information.

Define EJBROLES belongs to the application deployment process. If the user ID has at least READ access to the defined EJBROLE profile that corresponds to the Java EE role defined by the application, the user ID is considered to be in Role. (Do not be confused by the name EJBROLE. It is used for Java EE roles in both enterprise beans and Web applications.)

When an application deployer uses a role in the deployment descriptor of a component, the role name must be identical to the name of an EJBROLE profile. A security administrator defines EJBROLE profiles and permits SAF users or groups to the profiles. In order to be considered as eligible for a role, a user must have read access to the EJBROLE profile or must be connected to a SAF group that has read access.

The specification of a SAF profile prefix (previously referred to as a z/OS security domain) affects the specific EJBROLE profiles used by WAS for z/OS system resources when SAF authorization is chosen. When a SAF prefix is defined, the Java EE application EJBROLE profiles for the WAS for z/OS runtime are prefixed with the value of this property. This enables us to deploy the same application on different cells in the same sysplex, but have different user to role mappings if desired.

For example, the application has two Java EE role names: juniorTellers and seniorTellers. These are mixed case roles. In your SAF registry, we have an MVS group called JTELLER and STELLER and a MVS user ID called BANKADM. The JTELLER group is required to access to the juniorTellers role, and the STELLER group is required to access the seniorTellers role. The BANKADM user ID is required to access both roles.

We have two cells, both defined to use a SAF profile prefix. The prefixes are PRODCELL and TESTCELL, respectively. The TEST1 user ID should have access to both roles, but only in the test environment TESTCELL.

If we wanted to deploy the same application in both cells, we must define distinct profiles using a RACF (or equivalent security subsystem) as follows.

If RACF is used as our security server, enable this by issuing the following commands:

/* the EJBROLE class must be active, this step is done by the customization dialogs  */
SETROPTS CLASSACT(EJBROLE)

/* first define the roles in RACF */
RDEFINE EJBROLE PRODCELL.juniorTellers UACC(NONE)
RDEFINE EJBROLE PRODCELL.seniorTellers UACC(NONE)

RDEFINE EJBROLE TESTCELL.juniorTellers UACC(NONE)
RDEFINE EJBROLE TESTCELL.seniorTellers UACC(NONE)

/* permit the appropriate users and groups to the various roles */
PERMIT PRODCELL.juniorTellers CLASS(EJBROLE)  ID(JTELLER BANKADM) ACCESS(READ)
PERMIT PRODCELL.seniorTellers CLASS(EJBROLE)  ID(STELLER BANKADM) ACCESS(READ)

PERMIT TESTCELL.juniorTellers CLASS(EJBROLE)  ID(TEST1) ACCESS(READ)
PERMIT TESTCELL.seniorTellers CLASS(EJBROLE)  ID(TEST1) ACCESS(READ)

/* refresh the EJBROLE class in RACF *
SETROPTS RACLIST(EJBROLE) REFRESH"     

Grouping EJBROLES (GEJBROLE)

The SAF interface also supports a grouping class for the EJBROLE class. This grouping class is called GEJBROLE. It is particularly useful when we have a need to give access to the same users or groups for several roles.

The GEJBROLE grouping class provides a capability not natively available in other Java EE servers. Using the Java EE security model, if there are several components or applications that use different role names for similar functions, such as Hire, Promote, or GrantPayraise for managerial functions, there are several options:

Considerations when implementing GEJBROLES:


Subtopics


Related:

  • Authorization technology