Each control region, server region, and client must have its own MVS user ID. When a request flows from a client to the server or from a server to a server, WebSphere for z/OS passes the user identity (client or server) with the request. Each request is performed on behalf of the user identity and the system checks to see if the user identity has the authority to make such a request. The following table shows the control/authorization relationships:
|
Control |
Authorization |
|---|---|
|
Access control lists in LDAP |
Controlled access to WebSphere for z/OS naming and interface repository data |
|
CBIND class |
Access to a server |
|
DATASET class |
Access to data sets |
|
DCEUUIDS and IBMFAC classes |
Mapping DCE credentials to Top Secret user Ids |
|
DSNR class |
Access to DB2 |
|
EJBROLE class |
Access to methods in enterprise beans |
|
IBMFAC (IRR.DIGTCERT.GENCERT) & |
SSL key rings, certificates and mappings |
|
IBMFAC class (IMSXCF.OTMACI) |
Access to OTMA for IMS access |
|
IBMFAC Class (IRR.RUSERMAP) |
Kerberos credentials |
|
File permissions |
Access to HFS files |
|
GRANTs (DB2) |
DB2 access to plans and database |
|
LOGSTRM class |
Access to log streams |
|
OPERCMDS class |
Start and stop servers by Daemon |
|
PTKTDATA class |
Passticket enabling in the Sysplex (This relates to the session keys in the NDT in Top Secret) |
|
SERVER class |
Access to control region by a server region |
|
SOMDOBJS class |
Access to methods in CORBA objects |
|
STC |
Associate procname and userid in the STC table |
|
SURROGAT class (*.DFHEXCI) |
Access to EXCI for CICS access |
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|