Security roles

Access to enterprise bean methods is based on the concept of security roles. A security role represents a type of user of an application in terms of the permissions that the user must have to successfully use the application. For example, in a payroll application: The security roles for an application are defined by the application assembler, and are specified in the bean's deployment descriptor. For more information, see Security roles in the deployment descriptor

The security roles that are permitted to execute a bean method are also specified in the bean's deployment descriptor, again by the application assembler. In the example, methods which update the hours worked by employees each week might be assigned to the data_entry role, while methods which delete an employee from the payroll might be assigned to the team_leader role.

To distinguish similarly named security roles in different applications, or in different systems, the security roles specified in the bean's deployment descriptor can be given a one- or two-part qualifier when the bean is deployed in a CICS® system. For example: A security role with its qualifiers is known as a deployed security role. For more information, see Deployed security roles.

The mapping of security roles to individual users is done in the external security manager. The mapping is not necessarily one-to-one. For example, several users might be assigned to the data_entry role, while a some users might be assigned to both the team_leader role and the data_entry role. For more information, see Implementing security roles.

The security role and display name in the deployment descriptor can contain any ASCII or Unicode character. This is not so for names used in RACF®, which are restricted to characters in EBCDIC code page 037. In addition, some characters — the asterisk (*) for example — have special meaning when used in RACF commands. Therefore, when CICS constructs the deployed security role from its components, some characters are replaced with a different character, and others are replaced with an escape sequence. For details, see Character substitution in deployed security roles.