How to configure the `zosConnectAccess` role with a SAF user registry

Assign SAF users and groups to the zosConnectAccess role to control which users can access IBM® z/OS® Connect.

This task is applicable when IBM z/OS Connect is used as an API provider.

Before you begin

You should be familiar with the information in API provider authorization.
You need to know the SAF user IDs and groups that are to be granted access to IBM z/OS Connect.
You must have completed the task How to configure basic authentication with a SAF user registry, or have authenticated using an alternative method and mapped the authenticated user ID to a SAF user ID.
You must have write access to the server.xml configuration file.

About this task

Now you have configured the IBM z/OS Connect server to require authentication by setting the attribute requireAuth="true", you assign SAF users and groups to the zosConnectAccess role.

This task assumes that RACF® is used as security manager. If you are using an alternative External Security Manager, refer to the appropriate product documentation for the equivalent commands.

Procedure

Configure the server to use SAF for authorization.
This configures the IBM z/OS Connect server to perform authorization checks against the SAF registry. The zosConnectAccess role check is performed against the authenticated SAF user ID. Add the following element to the server.xml configuration file:
```
<safAuthorization id="saf-authorization"/>
```
To display SAF authorization messages such as RACF ICH408I, when unauthorized users attempt to access IBM z/OS Connect, specify the attribute racRouteLog="ASIS".

For more information about the safAuthorization element, see the Server configuration section in the IBM WebSphere® Application Server for z/OS Liberty documentation.
Assign users and groups to the zosConnectAccess role.
For SAF authorization, access is controlled using the SAF EJBROLE profile profilePrefix.zos.connect.access.roles.zosConnectAccess.
1. Define the SAF EJBROLE profile.
  Enter the following command:
  RDEFINE EJBROLE profilePrefix.zos.connect.access.roles.zosConnectAccess UACC(NONE)
  In this command, profilePrefix is the value used for this server as specified on the profilePrefix attribute of the safCredentials element in server.xml. The default profile prefix value is BBGZDFLT.
2. Activate the EJBROLE class
  Enter the following command
  SETROPTS CLASSACT(EJBROLE)
3. Assign the user IDs and groups who require authority to access.IBM z/OS Connect READ access to this profile.
  For example, to assign group "STAFF" and user "EMPLOY1" to the zosConnectAccess role, enter the following commands:
  PERMIT profilePrefix.zos.connect.access.roles.zosConnectAccess CLASS(EJBROLE) ID(STAFF) ACCESS(READ)
  
  PERMIT profilePrefix.zos.connect.access.roles.zosConnectAccess CLASS(EJBROLE) ID(EMPLOY1) ACCESS(READ)
4. Refresh the EJBROLE class.
  Enter the following command:
  SETROPTS RACLIST(EJBROLE) REFRESH
5. Ensure the user IDs and groups have also been granted READ access to the profilePrefix APPL profile.
  This is described in the task How to activate and configure the SAF user registry. Enter the following command:
  PERMIT profilePrefix CLASS(APPL) ACCESS(READ) ID(EMPLOY1)
Start, or restart the server if it was already running, to pick up the changes made to the RACF class profiles.

Results

The SAF users and groups assigned to the zosConnectAccess role now have authorization to access IBM z/OS Connect.

What to do next

You might be interested in configuring more specific authorization. See the task How to configure authorization levels with a SAF user registry.