How to configure authorization levels with an LDAP user registry
Configure authorization to control which users can perform specific actions on IBM® z/OS® Connect APIs or services by using an LDAP user registry.
This task is applicable when IBM z/OS Connect is used as an API provider.
Before you begin
- You should be familiar with the information in API provider authorization.
- You need to know which LDAP users and groups are to be granted various authorization levels to which APIs or services.
- You must have write access to the server.xml configuration file.
- You must have configured the IBM z/OS Connect server to use an LDAP user registry to authenticate and authorize the users. For example, you can use one of the following methods:
About this task
Configure a IBM z/OS Connect server to perform authorization checks by using the IBM z/OS Connect authorization interceptor. You assign LDAP registry groups to each of the authorization levels: admin, operations, invoke and reader globally or for a specific API or service.
You configure the authorization interceptor at the global scope with LDAP groups that are assigned to each of the global authorization levels. The configuration examples demonstrate the following options:
- If the interceptor is configured for both an API and the service it calls, then an HTTP or HTTPS request to invoke the API drives only the interceptor for the API. If the interceptor is configured for a service, then it is only driven if that service is invoked directly by an HTTP or HTTPS request.
- If you want to configure authorization for the RESTful administration actions such as deploy an API, deploy a service, get a list of APIs, get a list of services, or get statistics for multiple services, additional configuration is needed. For more information, see the API provider authorization.
Configure the IBM z/OS Connect authorization
interceptor. Add the following element to the server.xml configuration file:
For more information about the
zosconnect_authorizationInterceptorelement see zosconnect_authorizationInterceptor in the Reference section.
- Configure which interceptors are to be called. The IBM z/OS Connect authorization interceptor is called by referencing it in the following element of the server.xml configuration file:
In this example,
<zosconnect_zosConnectInterceptors id="interceptorList1" interceptorRef="zosConnectAuthorizationInterceptor"/>
idattribute value of the referenced
For more information about the
zosconnect_zosConnectInterceptorselement, see zosconnect_zosConnectInterceptors in the Reference section.
Perform step 4 only if you have completed step 3.
- Update the server configuration or restart the server.
Your IBM z/OS Connect server is configured to perform authorization checks by using the IBM z/OS Connect authorization interceptor, and LDAP groups are assigned to each of the authorization levels.
If a request fails an authorization check, messages are written to the messages.log file. For example, if a user attempts to invoke an API, but has reader access only, the following messages are written:
BAQR0409W: User RoseMoubinou is not authorized to perform the request. BAQR0428W: The zosConnectAuthorization interceptor encountered an error while processing a request for API myAPI under request URL http://myhost.company.com:9080/myAPI/mydata.
The following messages are returned in the HTTP response body:
BAQR0409W: User RoseMoubinou is not authorized to perform the request. BAQR0436W: The zosConnectAuthorization interceptor encountered an error while processing a request for API myAPI.