API Enablement

  • 1.  Authorities seems confused

    IBM Champion
    Posted Fri September 11, 2020 02:05 PM
    Im having some problems protecting APIs and services.

    The doc says

    globalOperationsGroup Identifies the users that are able to perform operations such as starting,  stopping or obtaining the status of all APIs, services, service endpoints and API requesters. The value of this attribute can be set to a group name or a commaseparated list of group names, that are defined in the user registry.

    zosconnect_zosConnectService - operationsGroup
    Identifies the users that are able to perform operations such as starting,
    stopping or obtaining the status of this service endpoint. The value of this
    attribute can be set to a group name or a comma-separated list of group names,
    that are defined in the user registry. If it is configured along with its global
    counterpart, globalOperationsGroup defined under element
    zosconnect_zosConnectManager, the value that is defined under
    operationsGroup is used

    I have two groups TEST which my userid is in, and SYS1 which my userid is NOT in.

    if globalOperationsGroup=TEST then my access it determined by
    1. operationsGroup=TEST  I have access
    2. operationsGroup=SYS1 I do not have access. This is as expected
    if globalOperationsG=SYS1 - I have no access to the resources - regardless of their value TEST/SYS1.


    It looked like the globalOperationsGroup  is a master switch, which has to be on before  operationsGroup has an effect.  So the documentation looks wrong which says the value that is defined under  operationsGroup is used

    regards

    Colin




  • 2.  RE: Authorities seems confused

    Posted Tue September 15, 2020 12:14 PM
    Edited by Sue BAYLISS Wed September 16, 2020 02:52 AM
    FYI: This was a duplicate response (my original response had not appeared after several hours and I thought it had not worked so re-posted, this is the closest I can get to deleting the duplicate response).


  • 3.  RE: Authorities seems confused

    Posted Tue September 15, 2020 12:21 PM
    Edited by Sue BAYLISS Wed September 16, 2020 02:53 AM

    Hi Colin,


    In general, the authorization groups (adminGroup, operationsGroup, invokeGroup & readerGroup) specified on the individual zosConnectAPI or service elements take precedence over the global groups (globalAdminGroup, globalOperationsGroup, globalInvokeGroup & globalReaderGroup) specified on the zosconnect_zosConnectManager element. But, it depends on which actions are being performed. Authorization to deploy an API, deploy a service, list all APIs or list all services is controlled by the global groups.

    For more information see API Provider authorization or the Security section of the RESTful administration interface operation you are using, for example: GET a list of APIs or Deploying an API.

    Regards, Sue

    IBM z/OS Connect EE

    ------------------------------
    Sue BAYLISS
    ------------------------------

    Original Message