When the profile BPX.SERVER is defined, there might be two authorization
checks:
- The first check authorizes the use of the pthread_security_np()
service.
- The second check authorizes for whom the server can establish
a security context. This check establishes the scope of users for
whom the server can act as a surrogate. See Defining servers to process users without passwords or password phrases for the steps required to enable servers
to act as surrogates for their clients when a password or password
phrase is not specified on the pthread_security_np() service.
You can also use the BPX.SERVER profile to set the scope of
z/OS resources
that the server can access when acting as a surrogate for its clients.
There are two levels of authority that can be granted to the server
using thread-level security services:
- UPDATE access
Lets the server establish a thread-level
(task-level) security environment for clients connecting to the server.
When the RACF® identity of the
server has been granted UPDATE authority to BPX.SERVER in the RACF FACILITY class, the server
is capable of acting as a surrogate for the client. This means
that the identity of the thread associated with the request from the
server's client runs with the z/OS user ID
of the server's client. Access control decisions to z/OS resources
(such as data sets) and to z/OS UNIX resources
(such as UNIX files) which are
accessed by the client's thread in the server are made using the RACF identity of the client.
- READ access
Lets the server establish a thread-level
security environment for the clients that it services. However, the
user ID of the server and the user ID of the client must be authorized
to the resources which the server will be accessing. A thread-level
security context in which both the client's and server's identity
is used in the access control decision and a password or password
phrase was not supplied by the client is called an unauthenticated
client security context.
Depending
on the design and implementation of the client/server application,
a client might have to supply an authenticator to the server. For
example, the client might be prompted to supply a password, password
phrase, or a password substitute, such as a RACF PassTicket to the server to prove its identity.
If a RACF password, password
phrase, or PassTicket is specified as a parameter on the pthread_security_np()
service, and the password, password phrase, or PassTicket is valid
for the client user ID, even if the server's identity has been granted
READ access to the profile BPX.SERVER in the RACF FACILITY class, the task level security
environment is only used in access control decisions. That is, only
the RACF user ID of the client
is used in making access control decisions. This task level security
environment created by a server is called an authenticated client security
context. Because the client has trusted the server sufficiently to
supply a RACF password, password
phrase, or PassTicket to the server, the server is granted the capability
of acting as a surrogate for that client (user).