How to configure the zosConnectAccess role with a SAF user registry

Assign SAF users and groups to the zosConnectAccess role to control which users, specified on the call from the CICS, IMS or z/OS application, can access IBM® z/OS® Connect.

This task is applicable when IBM z/OS Connect is used as an API requester.

Before you begin

  • You should be familiar with the information in API requester authorization.
  • You need to know the SAF user IDs and groups that are to be granted access to IBM z/OS Connect.
  • You must have completed the task How to configure basic authentication with a SAF user registry, or have authenticated with TLS client authentication and mapped the CICS, IMS or a z/OS application certificate to a SAF user ID.
  • You must have write access to the server.xml configuration file.

About this task

Now you have configured the IBM z/OS Connect server to require authentication by setting the attribute requireAuth="true", you assign SAF users and groups to the zosConnectAccess role.

This task assumes that RACF® is used as security manager. If you are using an alternative External Security Manager, refer to the appropriate product documentation for the equivalent commands.


  1. Configure the server to use SAF for authorization.
    This configures the IBM z/OS Connect server to perform authorization checks against the SAF registry. The zosConnectAccess role check is performed against the authenticated SAF user ID. Add the following element to the server.xml configuration file:
    <safAuthorization id="saf-authorization"/>

    To display SAF authorization messages such as RACF ICH408I, when unauthorized users attempt to access IBM z/OS Connect, specify the attribute racRouteLog="ASIS".

    For more information about the safAuthorization element, see the Server configuration section in the IBM WebSphere® Application Server for z/OS Liberty documentation.

  2. Assign users and groups to the zosConnectAccess role.
    For SAF authorization, access is controlled using the SAF EJBROLE profile profilePrefix.zos.connect.access.roles.zosConnectAccess.
    1. Define the SAF EJBROLE profile.
      Enter the following command:
      RDEFINE EJBROLE profilePrefix.zos.connect.access.roles.zosConnectAccess UACC(NONE)
      In this command, profilePrefix is the value used for this server as specified on the profilePrefix attribute of the safCredentials element in server.xml. The default profile prefix value is BBGZDFLT.
    2. Activate the EJBROLE class
      Enter the following command
    3. Assign the user IDs and groups who require authority to access.IBM z/OS Connect READ access to this profile.
      For example, to assign group "STAFF" and user "EMPLOY1" to the zosConnectAccess role, enter the following commands:
      PERMIT profilePrefix.zos.connect.access.roles.zosConnectAccess CLASS(EJBROLE) ID(STAFF) ACCESS(READ)
      PERMIT profilePrefix.zos.connect.access.roles.zosConnectAccess CLASS(EJBROLE) ID(EMPLOY1) ACCESS(READ)
    4. Refresh the EJBROLE class.
      Enter the following command:
    5. Ensure the user IDs and groups have also been granted READ access to the profilePrefix APPL profile.
      This is described in the task How to activate and configure the SAF user registry. Enter the following command:
  3. Start, or restart the server if it was already running, to pick up the changes made to the RACF class profiles.


The SAF users and groups assigned to the zosConnectAccess role now have authorization to access IBM z/OS Connect.