JEE application role security
JEE application role security can be configured in different ways depending upon the authorization type you wish to use. In distributed systems a basic registry or LDAP registry would typically be used in conjunction with an application specific <application-bnd> element, to map users from those registries into 'roles'. The deployment descriptor of the application determines which roles can access which parts of the application.
About this task
On z/OS® there is an additional registry type, the SAF registry. A Liberty JVM server implicitly uses this type for authentication when the cicsts:security-1.0 feature is installed. You can optionally choose to use it for authorization. The SAF registry type includes support for "user to role" mappings (EJB roles). As a result, the mapping information can be taken directly from the SAF registry itself.
In a Liberty JVM server, if you wish to use JEE roles without SAF authorization, then you cannot use CICS® bundles to install your applications. This is because a CICS Bundle installed application automatically creates an <application-bnd> element and uses the ALL_AUTHENTICATED_USERS special-subject, thus preventing you from defining the element yourself. Instead you must create an <application> element in server.xml directly and configure the <application-bnd> with the roles and users you require.
If however, you choose to use JEE roles and SAF authorization, you can continue to use CICS bundles to lifecycle your web applications. The <application-bnd> is ignored by Liberty in favour of using the role mappings determined by the SAF registry. Role mappings are determined by virtue of a 'user' belonging to an EJB role.