RACF: Commands to implement roles and user assignments (System Authorization Facility directions)

The System Authorization Facility (SAF) is a z/OS interface that programs can use to communicate with an external security manager, such as Resource Access Control Facility (RACF). You can use RACF commands to implement roles and user assignments.

The following examples can be used to construct the RACF commands that are needed to implement the roles and user assignments: 

RDEFINE EJBROLE (optionalSecurityDomain).businessspaceusers UACC(NONE)
RDEFINE EJBROLE (optionalSecurityDomain).WebFormUsers UACC(NONE)
RDEFINE EJBROLE (optionalSecurityDomain).BusinessRuleUsers UACC(NONE)
RDEFINE EJBROLE (optionalSecurityDomain).NoOne UACC(NONE)
RDEFINE EJBROLE (optionalSecurityDomain).AnyOne UACC(NONE)
RDEFINE EJBROLE (optionalSecurityDomain).Administrator UACC(NONE)
RDEFINE EJBROLE (optionalSecurityDomain).RestServicesUser UACC(NONE)
RDEFINE EJBROLE (optionalSecurityDomain).TaskAPIUser UACC(NONE)
RDEFINE EJBROLE (optionalSecurityDomain).TaskSystemAdministrator UACC(NONE)
PERMIT (optionalSecurityDomain).TaskSystemAdministrator CLASS(EJBROLE) ID(WSADMIN) ACCESS(READ)
RDEFINE EJBROLE (optionalSecurityDomain).TaskSystemMonitor  UACC(NONE)
PERMIT (optionalSecurityDomain).TaskSystemMonitor CLASS(EJBROLE) ID(WSADMIN) ACCESS(READ)
RDEFINE EJBROLE (optionalSecurityDomain).EscalationUser UACC(NONE) APPLDATA(RACFUserIdentity)
RDEFINE EJBROLE (optionalSecurityDomain).DenyAllRole UACC(NONE)
RDEFINE EJBROLE (optionalSecurityDomain).Allauthenticated UACC(NONE)
RDEFINE EJBROLE (optionalSecurityDomain).everyone UACC(NONE)
RDEFINE EJBROLE (optionalSecurityDomain).WebClientUser UACC(NONE)
RDEFINE EJBROLE (optionalSecurityDomain).JMSAPIUser UACC(NONE)
RDEFINE EJBROLE (optionalSecurityDomain).AdminJobUser UACC(NONE)
RDEFINE EJBROLE (optionalSecurityDomain).JAXWSAPIUser UACC(NONE)
RDEFINE EJBROLE (optionalSecurityDomain).BusinessCategorySystemAdministrator UACC(NONE)
PERMIT (optionalSecurityDomain).BusinessCategorySystemAdministrator CLASS(EJBROLE) ID(WSADMIN) ACCESS(READ)
PERMIT (optionalSecurityDomain).BusinessCategorySystemAdministrator CLASS(EJBROLE) ID(WSCFG1) ACCESS(READ)
RDEFINE EJBROLE (optionalSecurityDomain).WorkBasketSystemAdministrator UACC(NONE)
PERMIT (optionalSecurityDomain).WorkBasketSystemAdministrator CLASS(EJBROLE) ID(WSADMIN) ACCESS(READ)
PERMIT (optionalSecurityDomain).WorkBasketSystemAdministrator CLASS(EJBROLE) ID(WSCFG1) ACCESS(READ)
RDEFINE EJBROLE (optionalSecurityDomain).eventAdministrator UACC(NONE) 
RDEFINE EJBROLE (optionalSecurityDomain).eventConsumer UACC(NONE) 
RDEFINE EJBROLE (optionalSecurityDomain).eventUpdater UACC(NONE) 
RDEFINE EJBROLE (optionalSecurityDomain).eventCreator UACC(NONE) 
RDEFINE EJBROLE (optionalSecurityDomain).catalogAdministrator UACC(NONE) 
RDEFINE EJBROLE (optionalSecurityDomain).catalogReader UACC(NONE)
RDEFINE EJBROLE (optionalSecurityDomain).eventemitters UACC(NONE) 
RDEFINE EJBROLE (optionalSecurityDomain).deployer UACC(NONE)
RDEFINE EJBROLE (optionalSecurityDomain).AlphabloxAdministrator UACC(NONE)
RDEFINE EJBROLE (optionalSecurityDomain).AlphabloxUser UACC(NONE) 
RDEFINE EJBROLE (optionalSecurityDomain).AlphabloxDeveloper UACC(NONE)
Add your RACF WebSphere® Application Server user ID to the roles in the previous list using:
PERMIT (optionalSecurityDomain).(ROLE) CLASS(EJBROLE) ID(WSADMIN) ACCESS(READ)

Any user who wants to make use of the applications protected by these roles must be granted Read access to the role. It is important to note that unsecured applications run under the identity of the WebSphere Application Server unauthenticated user ID, which by default is WSGUEST. This user ID is typically defined with the RESTRICTED option, so if an unsecured application uses application facilities protected by the Java EE roles from the previous list, then WSGUEST must be given read access to the relevant profiles that implement the equivalent of EVERYONE user mapping for the role.

Note: There is a subtlety in the user assignment to the roles when using SAF based authorization. To emulate EVERYONE access, the EJBROLE profile must be defined with a UACC of read and the WebSphere Application Server unauthenticated user ID (default WSGUEST) must be granted Read access. To emulate all authenticated access, the EJBROLE profile must be defined with a UACC of Read. For more information, see the WebSphere Application Server information center: System Authorization Facility considerations for the operating system and application levels.

Applications that use securityIdentity or RunAs roles also need extra configuration for SAF security products. In RACF, this is done by using the EJBROLE APPLDATA parameter to assign a RACF user identity (RACFUserIdentity in the examples in the previous list) to the role. For more information, see the WebSphere Application Server information center: System Authorization Facility (SAF) delegation.

Parent topic: Configuring server security
Related concepts:
System Authorization Facility considerations for the operating system and application levels
System Authorization Facility (SAF) delegation
z/OSAccess control