Lockdown Zowe Desktop app to a SAF/ACF2 resource profile for access control
search cancel

Lockdown Zowe Desktop app to a SAF/ACF2 resource profile for access control

book

Article ID: 442259

calendar_today

Updated On:

Products

Zowe

Issue/Introduction

Created Zowe Desktop applications for automating administrative tasks, have designed these applications and was able to get them added to the Zowe Desktop. Now want to figure out and understand how to make sure these applications are locked down only to specific users. Need help in getting the security piece set up for these applications and some future applications in Zowe Desktop.

Resolution

In Zowe, role-based access control (RBAC) is used to apply application lockdown security. Zowe Desktop security is driven by z/OSMF SAF which means that user access is controlled by adding users to the appropriate z/OSMF roles via the IZUUSER or IZUADMIN groups in ACF2. By default, RBAC is disabled and all authenticated Zowe users can access all dataservices. However, with role based security enabled you can control which apps are accessible (visible) to all Zowe desktop users, and which are accessible only to individual users. Please reference Controlling access to apps for more information.

Controlling app access for individual users

  1. Enable RBAC, set the components.zss.dataserviceAuthentication.rbac and components.app-server.dataserviceAuthentication.rbac variables to true in the Zowe configuration file.

  2. In the user's ID directory path, in the \pluginStorage directory, create \org.zowe.zlux.bootstrap\plugins directories. For example:  

    <zowe.workspaceDirectory>/app-server/ZLUX/pluginStorage/org.zowe.zlux.bootstrap/plugins

  3. In the /plugins directory, create an allowedPlugins.json file. You can use the default allowedPlugins.json file as a template by copying it from the following location:

    <zpwe.runtimeDirectory>/components/app-server/share/zlux-app-server/defaults/ZLUX/pluginStorage/org.zowe.zlux.bootstrap/plugins

  4. Open the allowedPlugins.json file and specify apps that user can access. For example:

    {
      "allowedPlugins": [
        {
          "identifier": "org.zowe.appA",
          "versions": [
            "1.1"
          ]
        },
        {
          "identifier": "org.zowe.appB",
          "versions": [
            "*"
          ]
        },
    }

    Notes:

    • Identifier and version attributes are required.
    • When a user logs in to the desktop, Zowe determines which apps they can see by concatenating the list of apps available to all users with the apps available to the individual user.

  5. Restart the app server.

Powered by Wolken Software