IDMS REST API ZWEAS403E Access is denied
search cancel

IDMS REST API ZWEAS403E Access is denied

book

Article ID: 376023

calendar_today

Updated On:

Products

IDMS IDMS - Database

Issue/Introduction

Using the IDMS REST API trying to access IDMSINFO performance metrics and statistics endpoints getting ZWEAS403E error:

https://<hostname>:<port>/api/v1/systems/<jobname>

ZWEAS403E The user is not authorized to access the target resource: Access is denied.

Environment

Release: 19.0

Cause

There are 2 types of security with the IDMS REST API:

  • Security for the IDMSINFO Performance Metrics endpoints where a jobname is specified
  • Security for the JDBC endpoints where a datasource is specified

The ZWEAS403E error occurs when the endpoint is protected by an external security manager (ESM) but the userid has not been granted access.

Resolution

Securing performance metrics jobname endpoints

The performance metrics services endpoints are protected by the following system authorization facility (SAF) resource:

CLASS: IDMSAPI
 
RESOURCE: SYST.<Idms_CV_Jobname>

Where Idms_CV_Jobname is the jobname or STC name of the IDMS CV.
 
To allow a userid to monitor  performance metrics endpoints with the REST API  grant the userid access to the SYST.Idms_CV_Jobname IDMSAPI class.
 

Top Secret

For Top Secret this is documented in section Secure the Performance Metrics Services

RACF

For RACF use the following commands:

  1. Define the IDMSAPI resource class.

    RDEFINE CDT IDMSAPI UACC(NONE) +
      CDTINFO(DEFAULTUACC(NONE) FIRST(ALPHA) MAXLENGTH(42) -                        
      OTHER(ALPHA,NUMERIC,SPECIAL) -                                                
      POSIT(?) RACLIST(REQUIRED))  
    SETROPTS RACLIST(CDT) REFRESH

  2. Set ownership
     
    RDEFINE IDMSAPI SYST.Idms_CV_Jobname UACC(NONE)  

  3. Grant permission

    PERMIT SYST.Idms_CV_Jobname CLASS(IDMSAPI) ID(userid) ACCESS(READ)
    SETROPTS RACLIST(IDMSAPI) REFRESH

ACF2

For ACF2 use the following commands:

  1. Define the IDMSAPI resource class.

    ACF                                                                     
    SET CONTROL(GSO)                                                        
    INSERT CLASMAP.IDMSAPI RESOURCE(IDMSAPI) RSRCTYPE(IPI)

  2. Grant permission

    ACF
    SET RESOURCE(IPI)                                                               
    RECKEY SYST ADD(Idms_CV_Jobname UID(userid) ALLOW) 

 

Securing JDBC datasource endpoints

The JDBC endpoints where a datasource is specified are secured with the APPLID specified in the application.yml file of the IDMS REST API:

zowe.commons.security.saf.applid: {applid

For RACF use the following commands:

  1. Define the application Id to RACF

    RDEFINE APPL applid UACC(NONE)

  2. Grant permission

    PERMIT applid CL(APPL) ACCESS(READ) ID(userid)

For more details on this and examples for Top secret an ACF2, see documentation section Secure REST API with ESMs 

Powered by Wolken Software