Controlling how roles are mapped to SAF Profiles

The System Authorization Facility (SAF) role mapper determines how EJBROLE profile names are generated from application-defined role names. The mapper is invoked whenever SAF authorization is performed for an application role. The authorization check for the application role is made against the underlying SAF security product using the mapped profile name generated by the SAF role mapper.

The SAF role mapper can be configured by using the <safRoleMapper> configuration element.

<safRoleMapper profilePattern="myprofile.%resource%.%role%" toUpperCase="true" />

Attributes

profilePattern="<string>"

The pattern used to map application roles to profile names.

%role% is substituted at run time with the value of the application role
%resource% is substituted with the resource name. For example, the application name.

For example, for profilePattern="myprofile.%resource%.%role%", the profile generated for an access check to the resource "myapp" for the "admin" role, is myprofile.myapp.admin.

The list of supported substitution variables:

%role%: The application role name. For the administrator role, the value is Administrator.
%resource%: The protected resource name. For security administration, the resource name is com.ibm.ws.management.security.resource.
%profilePrefix%: The profilePrefix, defined by the profilePrefix attribute in the <safCredentials> config element. The default value is BBGZDFLT.

If not specified, the default is

profilePattern=
"%profilePrefix%.%resource%.%role%"

toUpperCase="true|false"

Indicates whether the mapped profile name must be folded to uppercase.

If not specified, the default is false.

Note: The SAF role mapper will automatically substitute any wildcard characters (%&*) and blank spaces in the mapped profile name with the '#' character.