SAF unauthenticated user ID

This task shows you how to define the SAF unauthenticated user ID and group in RACF®

Before you begin

If you are using a SAF user registry, it is necessary to specify a SAF user ID that represents the unauthenticated state. It is important to define this user ID correctly in your SAF registry.

If you are using a RACF SAF user registry, the unauthenticated user needs a unique default group (DFLTGRP) with no other user IDs connected to that group, an OMVS segment, but not a TSO segment, and the options NOPASSWORD, NOOIDCARD, and RESTRICTED.

If you have another SAF user registry, instead of RACF, then find the user ID options that are provided by that SAF registry that are equivalent to these RACF options.

The default authenticated user ID value is WSGUEST.


  1. Run the ADDGROUP command. The following example uses WSGUESTG as the group name.
  2. Run the ADDUSER command. The following example uses the default value of WSGUEST as the user ID name.

    The options NOPASSWORD and NOOIDCARD protect this user ID from being revoked by repeated attempts to guess the password.

    The option RESTRICTED means that this user ID cannot gain access to protected resources unless it is explicitly permitted to access that resource, even if that resource has a general access setting of UACC(READ).

Note: After the unauthenticated user ID is defined to the SAF registry, ensure that the user ID is authorized to use only the minimum number of SAF resources. If the IBM® z/OS® Connect server uses the SAF APPL resource check to control which users can connect to the Liberty z/OS System Security Access Domain (WZSSAD), then the unauthenticated user ID must be given access to the APPL profile. For more information about WZSSAD, see Accessing z/OS security resources using WZSSAD.

  1. Run the PERMIT command.
    PERMIT profilePrefix CLASS(APPL) ID(unauthenticated_user_ID) ACCESS(READ)
    • profilePrefix is the value of the profilePrefix attribute that is specified on the safCredentials element in server.xml. The default value is BBGZDFLT.
    • unauthenticated_user_ID is the SAF user ID you defined as the unauthenticated user. The default value is WSGUEST.
    Note: If you chose a user ID value other than WSGUEST, you must specify the value on the unauthenticatedUser attribute of the safCredentials element in the server.xml file for each of your IBM z/OS Connect servers.
  2. Give READ access to the SAF unauthenticated user ID.
    The SAF unauthenticated user ID, for example WSGUEST, needs READ access to the APPLID in the SAF APPL class that is used by the IBM z/OS Connect server for its SAF domain. For detailed instructions, see the section Authenticating a user of Accessing z/OS security resources using WZSSAD in the WebSphere® Application Server for z/OS Liberty documentation.