Setting up the System Authorization Facility (SAF) unauthenticated user
If you are using a SAF user registry, it is necessary to specify a SAF user ID that
represents the unauthenticated state. The name of the unauthenticated user ID is specified on the
unauthenticatedUser
attribute of the SAFCredentials
element in
server.xml. It is important to define this user ID correctly in your SAF
registry. If you are using a RACF SAF user registry, the unauthenticated user (default WSGUEST)
needs a unique default group (DFLTGRP) with no other user IDs connected to that group, an OMVS
segment, but not a TSO segment, and the options NOPASSWORD
,
NOOIDCARD
, and RESTRICTED
. If you have another SAF user registry,
instead of RACF, then find the user ID options that are provided by that SAF registry that are
equivalent to these RACF options.
About this task
By running the appropriate commands, you can correctly set up an unauthenticated user in your SAF user registry. An unauthenticated user that is incorrectly setup might cause a security exposure.
Procedure
What to do next
EJBROLE
profile. It is nearly always incorrect to permit the unauthenticated user
ID to the resource profile to resolve the problem. It usually means that the request is running in
an unauthenticated state when it must be running in an authenticated state. The actual problem is
probably a failure to authenticate properly. Whenever it appears necessary to permit the
unauthenticated user ID to a SAF resource profile consider carefully whether that is the correct
action to take. Permitting the unauthenticated user ID to any SAF resource profile makes that
resource available to everyone, including users that are not authenticated. There are almost no
instances where that is required, however, the APPL profile that controls access to the WZSSAD is
one exception.