Controlling how roles are mapped to SAF Profiles
The System Authorization Facility (SAF) role mapper determines how EJBROLE profile names are generated from application-defined role names. The mapper is invoked whenever SAF authorization is performed for an application role. The authorization check for the application role is made against the underlying SAF security product using the mapped profile name generated by the SAF role mapper.
The SAF role mapper can be configured by using the <safRoleMapper>
configuration
element.
<safRoleMapper profilePattern="myprofile.%resource%.%role%" toUpperCase="true" />
Attributes
- profilePattern="<string>"
- The pattern used to map application roles to profile names.
- %role% is substituted at run time with the value of the application role
- %resource% is substituted with the resource name. For example, the application name.
profilePattern="myprofile.%resource%.%role%"
, the profile generated for an access check to the resource "myapp" for the "admin" role, ismyprofile.myapp.admin
. - toUpperCase="true|false"
- Indicates whether the mapped profile name must be folded to uppercase.
Note: The SAF role mapper will automatically substitute any wildcard characters (%&*) and blank
spaces in the mapped profile name with the '#' character.