Configuring security for z/OS Connect
The z/OS® connect application can be accessed by authenticated users that are also authorized under the zosConnectAccess role. You can configure group authorization at the service definition level. Group authorization is supported for SAF and LDAP group types.
About this task
Users must be authenticated before the z/OS Connect application can be accessed.
The default authentication mechanism required by z/OS Connect is CLIENT_CERT. Users must be authorized under the zosConnectAccess role to be able to access the z/OS Connect application. The required transport mechanism is HTTPS.
You can configure z/OS Connect to run without any security constraints by setting the requireSecure and requireAuth attribute definitions. These attributes are defined under the zosConnectManager element, which applies to all configured services, or it is defined under the zosConnectService element for a specific service. If the attributes are defined under both the zosConnectService element and globally under the zosConnectManager element, the value defined under zosConnectService is used. See zosConnectManager and zosConnectService for more information on those attributes.
In order to provide a finer level of security, z/OS Connect offers the ability to constrain access based on group authorization that can be configured through SAF or LDAP. For this, z/OS Connect defines three levels of authority:
- Administrator - IUsers with administrator authority have the authority to query services, perform operational tasks on them, and invoke them.
- Operations - Users with operations authority are be able to perform tasks on services such as stop, start, etc. but they do not have authority to invoke services.
- Invoke - Users with invoke authority are be able to invoke services, but have no other authority.
z/OS Connect supplies an authorization interceptor that implements the
com.ibm.wsspi.zos.connect.Interceptor()
SPI. This interceptor supports both SAF and
LDAP. This interceptor uses the getGroupsforUser()
security API internally to
determine which groups the current user is in, and then compares these groups to the groups provided
on the service definition or in the global definition.
When the z/OS Connect supplied authorization interceptor is enabled, the RACF or LDAP group names
that are associated with users can also be associated with any of the groups that are mentioned
previously at the global or service definition levels. At the global level, they can be defined
under the <zosConnectManager>
configuration element. The attributes that are
defined at this level include: globalAdminGroup, globalOperationsGroup, and globalInvokeGroup. If
configured, they apply to all configured services. If more granularity is wanted, the groups can
also be configured at the service level under the <zosConnectService>
configuration element. The attributes that are defined at that level are: adminGroup,
operationsGroup, and invokeGroup. These values, if specified, override the values that are defined
globally.
/zosConnect/operations/getStatistics
request for more than one service and service discovery, then the user gets information on all
services that are registered with z/OS Connect when the following conditions exist:- The user passes the authorization check
- No other conditions prevent service information from being returned
For example, given the following configuration with the authorization interceptor defined at the service level:
User "USR1" Groups: ADMINS1, ADMINS2
User "USR2" Groups: OPERATS1
User "USR3" Groups: ADMINS2, OPERATS1
<!-- z/OS Connect global configuration. It applies to all services. -->
<zosConnectManager globalAdminGroup="ADMINS1" globalOperationsGroup="OPERATS1" globalInvokeGroup="INVOKES1"/>
<!-- Interceptor configuration -->
<zosConnectInterceptors id="interceptorList1" interceptorRef="zosConnectAuthorizationInterceptor"/>
<authorizationInterceptor id="zosConnectAuthorizationInterceptor"/>
<!--Service 1-->
<zosConnectService serviceName="service1" serviceRef="service1Ref" adminGroup="ADMINS2" operationsGroup="OPERATS2" interceptorsRef="interceptorList1" .../>
<!--Service 2-->
<zosConnectService serviceName="service2" serviceRef="service2Ref" operationsGroup="OPERATS2" interceptorsRef="interceptorList1" .../>
<!--Service 3-->
<zosConnectService serviceName="service3" serviceRef="service3Ref" adminGroup="ADMINS1" interceptorsRef="interceptorList1" .../>
service1 | service2 | service3 | |
---|---|---|---|
USR1 | X | X | X |
USR2 | -- | -- | X |
USR3 | X | -- | X |