SAF frequently asked questions

General Debugging

You can enable trace output for the SAF component. To enable diagnostic tracing for SAF, run the following command:
export OS390_SS_TRACE=ON

Is it possible to control access to data sets by using z/OS JAAS and the SAFPermission interfaces?

The SAF services provide access control support only for general resources; data sets are not supported.

The SAF interfaces in the IBM Semeru Runtime Certified Edition for z/OS support only querying user ID membership in a group; is there a way to administer changes to group membership with Java code?

The IBM® Semeru Runtime Certified Edition for z/OS® does not include services for administering users and groups. However, z/OS includes a set of Java™ interfaces that enable the administration of users and groups in security repositories. For more information, see Security Server RACF® General User's Guide.

What is the difference between the PlatformAccessControl.checkPermission() and PlatformAccessControl.checkMyPermission() methods?

The implementation of the PlatformAccessControl.checkPermission() method requires the current user to have either READ access to BPX.SERVER or superuser status, whereas the PlatformAccessControl.checkMyPermission() method requires only that the current user has a task-level Access Control Environment Element (ACEE). You can generate a task-level ACEE by calling the JAAS ThreadSubject.doAs() method. However, the ThreadSubject.doAs() method has the same restrictions as the PlatformAccessControl.checkPermission() method. Therefore, you should use the PlatformAccessControl.checkMyPermission() method only when a task-level ACEE is already present. Otherwise, use the PlatformAccessControl.checkPermission() method. The following example demonstrates by using the ThreadSubject.doAs method to generate an ACEE for the checkMyPermission method:
/**
 * Calls PlatformAccessControl.checkMyPermission() inside a ThreadSubject.doAs() call
 */
private void checkMyPermission_Example_NoACEE() {
    LoginContext lc = new LoginContext("MY_LOGINCONTEXT");

    lc.login();
    Subject subject = lc.getSubject();

    PrivilegedAction<Object> action = new PrivilegedAction<Object>() {
        @Override
        public Object run() {
            PlatformReturned pr = PlatformAccessControl.checkMyPermission("MY_CLASS", "MY_RESOURCE_NAME", PlatformAccessLevel.READ);

            if(pr == null)
                return "SUCCESS";
            else
                return "FALSE";
        }
    };

    String result = (String) ThreadSubject.doAs(subject, action);

    lc.logout();

}
However, if the current user already has an ACEE, you can call the PlatformAccessControl.checkMyPermission() method as shown in the following example:
/**
 * Calls PlatformAccessControl.checkMyPermission() when the user already has an ACEE
 */
private void checkMyPermission_Example_ACEE() {
    PlatformReturned pr = PlatformAccessControl.checkMyPermission("MY_CLASS", "MY_RESOURCE_NAME", PlatformAccessLevel.READ);
    String result;

    if (pr == null)
        result = "SUCCESS";
    else
        result = "FALSE";
}
The PlatformReturned object provides a descriptive error message if the checkMyPermission() method fails. You can obtain the error message as shown in the following example:
/**
 * Calls PlatformAccessControl.checkMyPermission() and prints out an error message
 */
private void checkMyPermission_ErrorMessage() {
    PlatformReturned pr = PlatformAccessControl.checkMyPermission("BADCLASS", "BAD_RESOURCE_NAME", PlatformAccessLevel.READ);
    String errorMessage;

    if (pr != null){
        errorMessage = pr.stringRet;
        System.out.println(errorMessage);
    }

}