How to configure the zosConnectAccess role with a SAF user registry
Assign SAF users and groups to the
zosConnectAccess role to control
which users, specified on the call from the CICS, IMS or z/OS application, can access IBM® z/OS® Connect .
This task is applicable when IBM z/OS Connect is used as an API requester.
Before you begin
- You should be familiar with the information in API requester authorization.
- You need to know the SAF user IDs and groups that are to be granted access to IBM z/OS Connect .
- You must have completed the task How to configure basic authentication with a SAF user registry, or have authenticated with TLS client authentication and mapped the CICS, IMS or a z/OS application certificate to a SAF user ID.
- You must have write access to the server.xml configuration file.
About this task
Now you have configured the IBM z/OS Connect server
to require authentication by setting the attribute
requireAuth="true", you assign SAF users and groups
This task assumes that RACF® is used as security manager. If you are using an alternative External Security Manager, refer to the appropriate product documentation for the equivalent commands.
- Configure the server to use SAF for authorization.
This configures the IBM z/OS Connect server to perform authorization checks against the SAF registry. The
zosConnectAccessrole check is performed against the authenticated SAF user ID. Add the following element to the server.xml configuration file:
To display SAF authorization messages such as RACF ICH408I, when unauthorized users attempt to access IBM z/OS Connect , specify the attribute
For more information about the
safAuthorizationelement, see the Server configuration section in the IBM WebSphere® Application Server for z/OS Liberty documentation.
- Assign users and groups to the
zosConnectAccessrole.For SAF authorization, access is controlled using the SAF EJBROLE profile
- Define the SAF EJBROLE profile. Enter the following command:RDEFINE EJBROLE profilePrefix.zos.connect.access.roles.zosConnectAccess UACC(NONE)In this command, profilePrefix is the value used for this server as specified on the
profilePrefixattribute of the
safCredentialselement in server.xml. The default profile prefix value is BBGZDFLT.
- Activate the EJBROLE class Enter the following commandSETROPTS CLASSACT(EJBROLE)
- Assign the user IDs and groups who require authority to access.IBM z/OS Connect READ access to this profile. For example, to assign group "STAFF" and user "EMPLOY1" to the
zosConnectAccessrole, enter the following commands:PERMIT profilePrefix.zos.connect.access.roles.zosConnectAccess CLASS(EJBROLE) ID(STAFF) ACCESS(READ)PERMIT profilePrefix.zos.connect.access.roles.zosConnectAccess CLASS(EJBROLE) ID(EMPLOY1) ACCESS(READ)
- Refresh the EJBROLE class. Enter the following command:SETROPTS RACLIST(EJBROLE) REFRESH
- Ensure the user IDs and groups have also been granted READ access to the
APPLprofile.This is described in the task How to activate and configure the SAF user registry. Enter the following command:PERMIT profilePrefix CLASS(APPL) ACCESS(READ) ID(EMPLOY1)
- Define the SAF EJBROLE profile.
- Start, or restart the server if it was already running, to pick up the changes made to the RACF class profiles.
zosConnectAccessrole now have authorization to access IBM z/OS Connect .