Page 1 of 1

SAF - can create role, but not users or groups

Posted: Wed Mar 05, 2008 10:44 am
by gohabsgo
Hi,

I had tomcat up and running without SAF but am now in the middle of SAFizing it. I followed the instructions at http://dovetail.com/docs/jzos/saf.html and got as far as adding a new role via the admin panel. However, I am not able to add groups or users in the admin panel. When I try, I get errors:
Caused by: javax.management.ServiceNotFoundException: Cannot find operation createGroup
Caused by: javax.management.ServiceNotFoundException: Cannot find operation createUser

Is this normal and all the user/group stuff is via RACF or am I missing the code for createGroup and createUser?

Thanks,

Larry

Posted: Wed Mar 05, 2008 11:40 am
by coz
Larry,

Users and Groups are added via RACF, or your security product. The SAF support in Tomcat is for roles only.

--Steve

a little deeper into tomcat from z/os with RACF ...

Posted: Wed Mar 05, 2008 12:58 pm
by gohabsgo
Thanks Steve. I was able to get a user set up in RACF to access my application in it's tomcat defined role. Now my issue is how to secure the application to only be allowed access to specific RACF resources, ie datasets. For example, my application reads datasets that contain reports, some of which contain sensitive data. In WebSphere (running as plugin) the userid that is signed into HTTP server is passed to the plugin and RACF protection based on that userid is enforced for any dataset access from the application.

Is there any way to configure tomcat to pass this userid and automatically enforce the dataset security?

Failing that, does anyone have an java code that does this type of checking? ie Does this user have access to read this dataset type checking?

Thanks,

Larry