How to configure the `zosConnectAccess` role with a basic user registry

Assign basic user registry users and groups to the zosConnectAccess role to control which users can access z/OS® Connect.

zosConnect-2.0 Applies to zosConnect-2.0.

This task is applicable when z/OS Connect is used as an API provider.

Before you begin

You should be familiar with the information in API provider authorization.
You need to know the users and groups that are to be granted access to IBM z/OS Connect.
You must have completed the task How to configure basic authentication with a basic user registry.
You must have write access to the server.xml configuration file.

About this task

Now you have configured the z/OS Connect server to require authentication by setting the attribute requireAuth="true", you assign basic registry users and groups to the zosConnectAccess role.

Procedure

Assign users and groups to the zosConnectAccess role.
Choose whether you want to assign only specific users or groups to the role, or allow all authenticated users to be assigned to the role.

Follow the instructions in step 1.a to assign specific users and groups to the role.
Follow the instructions in step 1.b to allow all authenticated users to be assigned to the role.
1. Configure authorization to access IBM z/OS Connect, by assigning users and groups to the zosConnectAccess role.
  The users and groups must be defined in the basic user registry. To assign the zosConnectAccess role to the "administrators" and "students" groups, for example, add the following authorization-roles element to the server.xml configuration file:
```
<authorization-roles id="zos.connect.access.roles"> 
    <security-role name="zosConnectAccess"> 
        <group name="administrators"/>          
        <group name="students"/>
    </security-role>  
</authorization-roles>
```
  This element uses the following values:
  - id="zos.connect.access.roles" and name="zosConnectAccess", must be specified exactly as shown.
  - "administrators" and "students" are basic user registry groups to be assigned to the role.
2. Configure authorization to access IBM z/OS Connect, by assigning the special subject type "ALL_AUTHENTICATED_USERS" to the zosConnectAccess role.
  Use this method if all authenticated basic user registry users and groups are to be authorized to access z/OS Connect. Add the following to the server.xml configuration file:
```
<authorization-roles id="zos.connect.access.roles">
    <security-role name="zosConnectAccess">
        <special-subject type="ALL_AUTHENTICATED_USERS"/>
    </security-role>
</authorization-roles>
```
  This element uses the following values:
  - id="zos.connect.access.roles" and name="zosConnectAccess", must be specified exactly as shown.
  - "ALL_AUTHENTICATED_USERS" is case sensitive.
For more information about the authorization-roles element, see Server configuration section in the WebSphere Application Server Liberty documentation.
Update the server configuration or restart the server.
The following message appears in the messages.log file:
```
CWWKS9120I: Authorization roles with id="zos.connect.access.roles" have been successfully processed.
```

Results

The basic user registry users and groups assigned to the zosConnectAccess role now have authorization to access z/OS Connect.

What to do next

You might be interested in configuring more specific authorization. See the task How to configure authorization levels with a basic user registry