SAF frequently asked questions
General Debugging
You can enable trace output for the SAF component. To enable diagnostic tracing for SAF, run the
following command:
export OS390_SS_TRACE=ON
Is it possible to control access to data sets by using z/OS JAAS and the SAFPermission interfaces?
The SAF services provide access control support only for general resources; data sets are not supported.
The SAF interfaces in the IBM Semeru Runtime Certified Edition for z/OS support only querying user ID membership in a group; is there a way to administer changes to group membership with Java code?
The IBM® Semeru Runtime Certified Edition for z/OS® does not include services for administering users and groups. However, z/OS includes a set of Java™ interfaces that enable the administration of users and groups in security repositories. For more information, see Security Server RACF® General User's Guide.
What is the difference between the PlatformAccessControl.checkPermission() and PlatformAccessControl.checkMyPermission() methods?
The implementation of the PlatformAccessControl.checkPermission() method
requires the current user to have either READ access to BPX.SERVER or superuser status, whereas the
PlatformAccessControl.checkMyPermission() method requires only that the current
user has a task-level Access Control Environment Element (ACEE). You can generate a task-level ACEE
by calling the JAAS ThreadSubject.doAs() method. However, the
ThreadSubject.doAs() method has the same restrictions as the
PlatformAccessControl.checkPermission() method. Therefore, you should use the
PlatformAccessControl.checkMyPermission() method only when a task-level ACEE is
already present. Otherwise, use the PlatformAccessControl.checkPermission()
method. The following example demonstrates by using the ThreadSubject.doAs method
to generate an ACEE for the checkMyPermission method:
/**
* Calls PlatformAccessControl.checkMyPermission() inside a ThreadSubject.doAs() call
*/
private void checkMyPermission_Example_NoACEE() {
LoginContext lc = new LoginContext("MY_LOGINCONTEXT");
lc.login();
Subject subject = lc.getSubject();
PrivilegedAction<Object> action = new PrivilegedAction<Object>() {
@Override
public Object run() {
PlatformReturned pr = PlatformAccessControl.checkMyPermission("MY_CLASS", "MY_RESOURCE_NAME", PlatformAccessLevel.READ);
if(pr == null)
return "SUCCESS";
else
return "FALSE";
}
};
String result = (String) ThreadSubject.doAs(subject, action);
lc.logout();
}
However, if the current user already has an ACEE, you can call the
PlatformAccessControl.checkMyPermission() method as shown in the following
example: /**
* Calls PlatformAccessControl.checkMyPermission() when the user already has an ACEE
*/
private void checkMyPermission_Example_ACEE() {
PlatformReturned pr = PlatformAccessControl.checkMyPermission("MY_CLASS", "MY_RESOURCE_NAME", PlatformAccessLevel.READ);
String result;
if (pr == null)
result = "SUCCESS";
else
result = "FALSE";
}
The PlatformReturned object provides a descriptive error message if
the checkMyPermission() method fails. You can obtain the error message as shown
in the following example: /**
* Calls PlatformAccessControl.checkMyPermission() and prints out an error message
*/
private void checkMyPermission_ErrorMessage() {
PlatformReturned pr = PlatformAccessControl.checkMyPermission("BADCLASS", "BAD_RESOURCE_NAME", PlatformAccessLevel.READ);
String errorMessage;
if (pr != null){
errorMessage = pr.stringRet;
System.out.println(errorMessage);
}
}