Hi Colin,
In general, the authorization groups (adminGroup, operationsGroup, invokeGroup & readerGroup) specified on the individual zosConnectAPI or service elements take precedence over the global groups (globalAdminGroup, globalOperationsGroup, globalInvokeGroup & globalReaderGroup) specified on the zosconnect_zosConnectManager element. But, it depends on which actions are being performed. Authorization to deploy an API, deploy a service, list all APIs or list all services is controlled by the global groups.
For more information see API Provider authorization or the Security section of the RESTful administration interface operation you are using, for example: GET a list of APIs or Deploying an API.
Regards, Sue
IBM z/OS Connect EE
------------------------------
Sue BAYLISS
------------------------------
Original Message:
Sent: Fri September 11, 2020 02:04 PM
From: Colin Paice
Subject: Authorities seems confused
Im having some problems protecting APIs and services.
The doc says
globalOperationsGroup Identifies the users that are able to perform operations such as starting, stopping or obtaining the status of all APIs, services, service endpoints and API requesters. The value of this attribute can be set to a group name or a commaseparated list of group names, that are defined in the user registry.
zosconnect_zosConnectService - operationsGroup
Identifies the users that are able to perform operations such as starting,
stopping or obtaining the status of this service endpoint. The value of this
attribute can be set to a group name or a comma-separated list of group names,
that are defined in the user registry. If it is configured along with its global
counterpart, globalOperationsGroup defined under element
zosconnect_zosConnectManager, the value that is defined under
operationsGroup is used
I have two groups TEST which my userid is in, and SYS1 which my userid is NOT in.
if globalOperationsGroup=TEST then my access it determined by
- operationsGroup=TEST I have access
- operationsGroup=SYS1 I do not have access. This is as expected
if globalOperationsG=SYS1 - I have no access to the resources - regardless of their value TEST/SYS1.
It looked like the globalOperationsGroup is a master switch, which has to be on before operationsGroup has an effect. So the documentation looks wrong which says the value that is defined under operationsGroup is used
regards
Colin