How to configure authorization levels with an LDAP user registry
Configure authorization to control which users can perform specific actions on IBM® z/OS® Connect APIs or services by using an LDAP user registry.
This task is applicable when IBM z/OS Connect is used as an API provider.
Before you begin
- You should be familiar with the information in API provider authorization.
- You need to know which LDAP users and groups are to be granted various authorization levels to which APIs or services.
- You must have write access to the server.xml configuration file.
- You must have configured the IBM z/OS Connect server to use an LDAP user registry to authenticate and authorize the users. For example, you can use one of the following methods:
About this task
Configure a IBM z/OS Connect server to perform authorization checks by using the IBM z/OS Connect authorization interceptor. You assign LDAP registry groups to each of the authorization levels: admin, operations, invoke and reader globally or for a specific API or service.
You configure the authorization interceptor at the global scope with LDAP groups that are
assigned to each of the global authorization levels. The configuration examples demonstrate the
following options:
Note:
- If the interceptor is configured for both an API and the service it calls, then an HTTP or HTTPS request to invoke the API drives only the interceptor for the API. If the interceptor is configured for a service, then it is only driven if that service is invoked directly by an HTTP or HTTPS request.
- If you want to configure authorization for the RESTful administration actions such as deploy an API, deploy a service, get a list of APIs, get a list of services, or get statistics for multiple services, additional configuration is needed. For more information, see the API provider authorization.
Procedure
Perform step 4 only if you have completed step 3.
Results
If a request fails an authorization
check, messages are written to the messages.log file. For example, if a user
attempts to invoke an API, but has reader access only, the following messages are
written:
BAQR0409W: User RoseMoubinou is not authorized to perform the request. BAQR0428W: The zosConnectAuthorization interceptor encountered an error while processing a request for API myAPI under request URL http://myhost.company.com:9080/myAPI/mydata.
The
following messages are returned in the HTTP response
body:
BAQR0409W: User RoseMoubinou is not authorized to perform the request. BAQR0436W: The zosConnectAuthorization interceptor encountered an error while processing a request for API myAPI.