Unauthorized services used by the SAF registry
The System Authorization Facility (SAF) registry uses a number of unauthorized services from the C environment provided by LE (Language Environment®).
Presented here is a table that lists the unauthorized services from LE C that the SAF
registry uses, and provides links to additional information in the z/OS® V2R1 documentation. These services are subject to BPX.DAEMON restrictions. These
restrictions detailed in the documentation that are linked to from the service calls associated with
each method that is listed in the table.
Method | Link to further information |
---|---|
|
Verify/Change User Password |
|
Reset Group Database to First Entry |
|
Get Group Database Entry |
|
Get Group Database Entry Functions |
NOTE: This method only works for users with defined
OMVS segments. |
Get Supplementary Group IDs by User Name |
|
Get Supplementary Group IDs by User Name |
|
Access the Group Database by ID |
|
Reset User Database Search |
|
Get User Database Entry |
|
User Database Functions |
|
Search Group Database for a Name |
|
Search User Database for a Name |
|
Register/Deregister/Authenticate a Digital Certificate |
Note: If the Liberty server is configured to
use SAF authorized services (see Activating and configuring the SAF registry on z/OS), then the following unauthorized services are not used:
checkPassword: __passwd_applid
isValidGroup: getgrnam_r
isValidUser: getpwnam_r
mapCertificate: __certificate
initACEE
authorized SAF service . For the
isValidGroup
method, the Liberty server uses the RACROUTE
EXTRACT
macro.
Unless the server is configured to use an
Angel for security authentication operations, UserRegistry
,
isValidUser
, and isValidGroup
methods return
false
for user or group names that are created without an OMVS segment.