Skip to Main Content
Cloud Platform

This is an IBM Automation portal for Cloud Platform products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (

Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.

Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal ( - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal ( - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM. - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Not under consideration
Workspace WebSphere Liberty
Created by Guest
Created on Mar 20, 2018

Liberty zOS - improve process to determine when mapped userid does not have access to APPL


in Liberty on zOS, when authenticating to an application using a client certificate, the client certificate is mapped to a RACF user id.

To be able to invoke the application, the mapped RACF user id needs to have READ access to the APPL class.

The problem is that if the mapped user id does not have access then you get no RACF message showing the security violation.

If you trace in Liberty the trace message is not overly helpful as it shows that "null" has no access as in this example:

[1/11/18 3:35:41:410 GMT] 0000002a SAFServiceRes < getMessage Exit CWWKS2907E: SAF Service IRRSIA00_CREATE did not succeed because user null has insufficient authority to access APPL-ID EDZCWAZ. SAF return code 0x00000008. RACF return code 0x00000008. RACF reason code 0x00000020.

The "null" in the above message, is misleading, as it is really the mapped user id that does not have access to the APPL class.

Current way this works does not return the mapped user id back to Liberty, so it cannot show the mapped user id that did not have access, but there is also no RACF message.

Would like to see change done so that at least the trace message shows that the mapped user id did not have access to the APPL class.

Idea priority Medium
RFE ID 117830
RFE Product WebSphere Application Server
  • Admin
    Graham Charters
    Jan 14, 2022

    Thank you for the suggestion. The requirement does have merit, but looking at it with respect to our total backlog of requests we do not see sufficient interest in this enhancement to merit delivery any time in the foreseeable future. Given the unlikelihood that we would deliver this, we are declining the request rather than leaving it in an uncommitted state for an extended period of time. If you would like to discuss this decision further, please contact Graham Charters <>.

  • Guest
    Apr 10, 2019

    I'd actually like to see a useful msg in the task output without having to initiate traces, recreatethe issue and then scour a trace to try and find the real problem.