Skip Headers
Oracle® Identity Manager Connector Guide for IBM RACF Standard
Release 9.0.4

E10427-07
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

1 About the Connector

Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with third-party applications. This guide discusses the procedure to deploy the connector that is used to integrate Oracle Identity Manager with IBM RACF Standard.

Note:

The Oracle Identity Manager Advanced connector for IBM RACF provides an agent-based architecture for integrating IBM RACF with Oracle Identity Manager. For more information, see the guide for that connector.

This chapter contains the following sections:

Note:

In this guide, the term Oracle Identity Manager server refers to the computer on which Oracle Identity Manager is installed.

At some places in this guide, IBM RACF Standard has been referred to as the target system.

1.1 Certified Components

Table 1-1 lists the certified components for the connector.

Table 1-1 Certified Components

Component Requirement

Oracle Identity Manager

You can use one of the following releases of Oracle Identity Manager:

  • Oracle Identity Manager release 9.0.1 through 9.0.3.x

  • Oracle Identity Manager release 9.1.0.1 or later

    Note: In this guide, Oracle Identity Manager release 9.1.0.x has been used to denote Oracle Identity Manager release 9.1.0.1 and future releases in the 9.1.0.x series that the connector will support.

  • Oracle Identity Manager 11g release 1 (11.1.1)

    Note: In this guide, Oracle Identity Manager release 11.1.1 has been used to denote Oracle Identity Manager 11g release 1 (11.1.1).

The connector does not support Oracle Identity Manager running on Oracle Application Server. For detailed information about certified components of Oracle Identity Manager, see the certification matrix on Oracle Technology Network at

http://www.oracle.com/technetwork/documentation/oim1014-097544.html

Target system

IBM RACF on z/OS V1.9

External code

The following Host Access Class Library (HACL) class files obtained from IBM Host On-Demand (HOD) version 9.0:

  • hoddbg2.jar

  • hacp.jar

  • hasslite2.jar

  • habasen2.jar

  • WellKnownTrustedCAs.class

  • WellKnownTrustedCAs.p12

Target system user account

Instructions to create an IBM RACF user account with the required privileges are given in Section 2.3.3, "Postinstallation on the Target System."

You provide the credentials of this user account while configuring the IT resource. The procedure is described later in this guide.

If the user account is not assigned the specified rights, then the "Authentication failure" message is displayed when Oracle Identity Manager tries to exchange data with the target system.

JDK

The JDK version can be one of the following:

  • For Oracle Identity Manager release 9.0.1 through 9.0.3.x, use JDK 1.4.2 or a later release in the 1.4.2 series.

  • For Oracle Identity Manager release 9.1.0.x, use JDK 1.5 or a later release in the 1.5 series.

  • For Oracle Identity Manager release 11.1.1, use JDK 1.6 update 18 or later, or JRockit JDK 1.6 update 17 or later.


1.2 Certified Languages

The connector supports the following languages:

See Also:

For information about supported special characters supported by Oracle Identity Manager, see one of the following guides:

  • For Oracle Identity Manager release 9.0.1 through 9.0.3.x and release 9.1.0.x:

    Oracle Identity Manager Globalization Guide

  • For Oracle Identity Manager release 11.1.1:

    Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager

1.3 Connector Architecture

The architecture of the connector is the blueprint for the functionality of the connector. Figure 1-1 shows the architecture of the connector.

Figure 1-1 Architecture of the Connector

Description of Figure 1-1 follows
Description of "Figure 1-1 Architecture of the Connector"

The connector can be configured to run in one of the following modes:

Note:

In Oracle Identity Manager release 11.1.1, a scheduled job is an instance of a scheduled task. In this guide, the term scheduled task used in the context of Oracle Identity Manager release 9.1.0.x is the same as the term scheduled job in the context of Oracle Identity Manager release 11.1.1.

See Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager for more information about scheduled tasks and scheduled jobs.

1.4 Features of the Connector

The following are features of the connector:

1.4.1 Support for Full Reconciliation

After you deploy the connector, you can perform full reconciliation to bring all existing user data from the target system to Oracle Identity Manager.

See Section 3.3.1, "Full Reconciliation" for more information.

1.4.2 Support for Target Resource and Trusted Source Reconciliation

You can use the connector to configure IBM RACF Standard as either a target resource or trusted source of Oracle Identity Manager.

See Section 3.3, "Configuring Reconciliation" for more information.

1.4.3 Support for Limited Reconciliation

You can set a reconciliation filter by specifying values for one or more of the following scheduled task attributes:

  • Filter Auditor Privilege (Y/N)

  • Filter Default Group

  • Filter Group Access Privilege (Y/N)

  • Filter Name

  • Filter Operations Privilege (Y/N)

  • Filter Owner

  • Filter Special Privilege (Y/N)

  • Filter User Id

  • Filter Type (AND/OR)

This filter specifies the subset of newly added and modified target system records that must be reconciled.

See Section 3.3.2, "Limited Reconciliation" for more information.

1.4.4 Support for Batched Reconciliation

You can break down a reconciliation run into batches by specifying the number of records that must be included in each batch.

See Section 3.3.3, "Batched Reconciliation" for more information.

1.5 Lookup Definitions Used During Reconciliation and Provisioning

Lookup definitions used during connector operations can be divided into the following categories:

1.5.1 Lookup Definitions Synchronized with the Target System

During a provisioning operation, you use a lookup field on the process form to specify a single value from a set of values. For example, you use the Group lookup field to select a group to which a user must belong to from the list of available groups. When you deploy the connector, lookup definitions corresponding to the lookup fields on the target system are created in Oracle Identity Manager. Lookup field synchronization involves copying additions or changes made to the target system lookup fields into the lookup definitions in Oracle Identity Manager.

The following lookup definitions are populated with values fetched from the target system by the scheduled tasks for lookup field synchronization:

See Also:

Section 3.2, "Lookup Field Synchronization" for information about these scheduled tasks

  • Lookup.RACF.Groups

  • Lookup.RACF.Accounts

  • Lookup.RACF.Procedures

1.5.2 Other Lookup Definitions

This section describes the other lookup definitions that are created in Oracle Identity Manager when you deploy the connector. These lookup definitions are either prepopulated with values or values must be manually entered in them after the connector is deployed.

Table 1-2 Other Lookup Definitions

Lookup Definition Description of Values Method to Specify Values for the Lookup Definition

Connect

This lookup definition holds information about the authority that you can select for a target system account that you create through Oracle Identity Manager.

This lookup definition is preconfigured. You can add or modify entries in this lookup definition.

See one of the following guides for more information about modifying entries in a lookup definition:

  • For Oracle Identity Manager release 9.0.1. through 9.0.3.x and release 9.1.0.x: Oracle Identity Manager Design Console Guide

  • For Oracle Identity Manager release 11.1.1: Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager


1.6 Connector Objects Used During Target Resource Reconciliation and Provisioning

See Also:

One of the following guides for conceptual information about reconciliation:

  • For Oracle Identity Manager release 9.0.1 through 9.0.3.x and release 9.1.0.x: Oracle Identity Manager Connector Concepts

  • For Oracle Identity Manager release 11.1.1: Oracle Fusion Middleware User's Guide for Oracle Identity Manager

1.6.1 User Attributes for Target Resource Reconciliation and Provisioning

Table 1-3 provides information about user attribute mappings for target resource reconciliation and provisioning.

Table 1-3 User Attributes for Target Resource Reconciliation and Provisioning

Process Form Field Target System Field Description

userid

USBD_NAME

User ID that is determined from the user profile name

owner

USBD_OWNER_ID

User ID or group that owns the profile

name

USBD_PROGRAMMER

Display name associated with the user ID

default group

USBD_DEFGRP_ID

Default group associated with the user

operations

USBD_OPER

Specifies whether the user has the Operations privilege

auditor

USBD_AUDITOR

Specifies whether the user has the Auditor privilege

special

USBD_SPECIAL

Specifies whether the user has the Special privilege

grp access

USBD_GRPACC

Specifies whether the user has the GRPACC privilege

department

USWRK_DEPARTMENT

Department name


1.6.2 Group Attributes for Target Resource Reconciliation and Provisioning

Table 1-4 provides information about group attribute mappings for target resource reconciliation and provisioning.

Table 1-4 Group Attributes for Target Resource Reconciliation and Provisioning

Process Form Field Target System Support Group Attribute Description

Group

USCON_GRP_ID

Name of the group name with which the user is associated

Revoke Date

USCON_REVOKE_DATE

Date on which the user's association with the group ends

Authorisation

GPMEM_AUTH

Authorization privilege


1.6.3 TSO Attributes for Target Resource Reconciliation and Provisioning

Table 1-5 provides information about TSO attribute mappings for target resource reconciliation and provisioning.

Table 1-5 TSO Attributes for Target Resource Reconciliation and Provisioning

Process Form Field Target System TSO Attribute Description

Account Number

USTSO_ACCOUNT

Default account number

Procedure

USTSO_LOGON_PROC

Default procedure name

Size

USTSO_SIZE

Default memory space allocated to the user in TSO

Unit

USTSO_UNIT

Default unit of measurement of memory size

Maximum Size

USTSO_MAXIMUM_SIZE

Default maximum memory space that can be allocated to the user in TSO


1.6.4 Reconciliation Rule for Target Resource Reconciliation

See Also:

For generic information about reconciliation matching and action rules, see one of the following guides:

  • For Oracle Identity Manager release 9.0.1 through 9.0.3.x and release 9.1.0.x: Oracle Identity Manager Connector Concepts

  • For Oracle Identity Manager release 11.1.1: Oracle Fusion Middleware User's Guide for Oracle Identity Manager

The following is the process-matching rule:

Rule Name: reconcile RACF data

Rule Element: User Login Equals userid

In this rule:

  • User Login is one of the following:

    • For Oracle Identity Manager release 9.0.1 through 9.0.3.x:

      User ID attribute on the Xellerate User form.

    • For Oracle Identity Manager release 9.1.0.x or release 11.1.1:

      User ID attribute on the OIM User form.

  • userid is the USBD_NAME attribute of the target system.

After you deploy the connector, you can view the reconciliation rule by performing the following steps:

Note:

Perform the following procedure only after the connector is deployed.

  1. Log in to the Oracle Identity Manager Design Console.

  2. Expand Development Tools.

  3. Double-click Reconciliation Rules.

  4. Search for and open reconcile RACF data. Figure 1-2 shows this reconciliation rule.

Figure 1-2 Reconciliation Rule for Target Resource Reconciliation

reconciliation rule
Description of "Figure 1-2 Reconciliation Rule for Target Resource Reconciliation"

1.6.5 Reconciliation Action Rules for Target Resource Reconciliation

Table 1-6 lists the action rules for target resource reconciliation.

Table 1-6 Action Rules for Target Resource Reconciliation

Rule Condition Action

No Matches Found

Assign to Administrator With Least Load

One Entity Match Found

Establish Link

One Process Match Found

Establish Link


Note:

No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. For information about modifying or creating reconciliation action rules, see one of the following guides:

  • For Oracle Identity Manager release 9.0.1 through 9.0.3.x and release 9.1.0.x: Oracle Identity Manager Design Console Guide

  • For Oracle Identity Manager release 11.1.1: Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager

After you deploy the connector, you can view the reconciliation action rules for target resource reconciliation by performing the following steps:

  1. Log in to the Oracle Identity Manager Design Console.

  2. Expand Resource Management.

  3. Double-click Resource Objects.

  4. Search for and open the RACF User resource object.

  5. Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector. Figure 1-3 shows the reconciliation action rule for target resource reconciliation.

    Figure 1-3 Reconciliation Action Rules for Target Resource Reconciliation

    Description of Figure 1-3 follows
    Description of "Figure 1-3 Reconciliation Action Rules for Target Resource Reconciliation"

1.6.6 Provisioning Functions

Table 1-7 lists the provisioning functions that are supported by the connector. The Adapter column gives the name of the adapter that is used when the function is performed.

Table 1-7 Provisioning Functions

Function Adapter

Create a RACF User

adpCREATENEWRACFUSER

Delete a RACF User

adpRACFUSERDELETE

Name Updated

adpUPDATERACFUSERATTRIBUTE

Password Updated

adpSETRACFUSERPASSWORD

Department Updated

adpUPDATERACFUSERATTRIBUTE

Default Group Updated

adpUPDATERACFUSERATTRIBUTE

Installation data Updated

adpUPDATERACFUSERATTRIBUTE

Operations Updated

adpRACFUPDATEPRIVILEDGE

Special Updated

adpRACFUPDATEPRIVILEDGE

Auditor Updated

adpRACFUPDATEPRIVILEDGE

Group Access Updated

adpRACFUPDATEPRIVILEDGE

Owner Updated

adpUPDATERACFUSERATTRIBUTE

Enable a RACF User

adpRACFUSERENABLE

Disable a RACF User

adpRACFUSERDISABLE

Connect Group

adpCONNECTTOGROUP

Disconnect Group

adpDISCONNECTFROMGROUP

Add TSO to a User

adpADDTSOTORACFUSER

Remove TSO

adpREMOVETSO


1.7 Connector Objects Used During Trusted Source Reconciliation

The following sections provide information about connector objects used during trusted source reconciliation:

1.7.1 User Attributes for Trusted Source Reconciliation

Table 1-8 lists user attributes for trusted source reconciliation.

Table 1-8 User Attributes for Trusted Source Reconciliation

OIM User Form Field Target System Attribute Description

User ID

USBD_NAME

Common name

First Name

FName

First name

Last Name

LName

Last name

Employee Type

NA

Default value: Consultant

User Type

NA

Default value: End-User Administrator

Organization

NA

Default value: Xellerate Users


1.7.2 Reconciliation Rule for Trusted Source Reconciliation

See Also:

For generic information about reconciliation matching and action rules, see one of the following guides:

  • For Oracle Identity Manager release 9.0.1 through 9.0.3.x and release 9.1.0.x: Oracle Identity Manager Connector Concepts

  • For Oracle Identity Manager release 11.1.1: Oracle Fusion Middleware User's Guide for Oracle Identity Manager

The following is the process matching rule:

Rule name: RACF Trusted Rule

Rule element: User Login Equals userid

In this rule element:

  • User Login is the User ID field on the OIM User form.

  • userid is the USBD_NAME field of RACF Standard.

After you deploy the connector, you can view the reconciliation rule for target source reconciliation by performing the following steps:

Note:

Perform the following procedure only after the connector is deployed.

  1. Log in to the Oracle Identity Manager Design Console.

  2. Expand Development Tools.

  3. Double-click Reconciliation Rules.

  4. Search for RACF Trusted Rule. Figure 1-4 shows the reconciliation rule for trusted source reconciliation.

    Figure 1-4 Reconciliation Rule for Trusted Source Reconciliation

    Description of Figure 1-4 follows
    Description of "Figure 1-4 Reconciliation Rule for Trusted Source Reconciliation"

1.7.3 Reconciliation Action Rules for Trusted Source Reconciliation

Table 1-9 lists the action rules for target source reconciliation.

Table 1-9 Action Rules for Target Source Reconciliation

Rule Condition Action

No Matches Found

Create User

One Entity Match Found

Establish Link

One Process Match Found

Establish Link


Note:

No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. For information about modifying or creating reconciliation action rules, see one of the following guides:

  • For Oracle Identity Manager release 9.0.1 through 9.0.3.x and release 9.1.0.x: Oracle Identity Manager Design Console Guide

  • For Oracle Identity Manager release 11.1.1: Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager

After you deploy the connector, you can view the reconciliation action rules for target resource reconciliation by performing the following steps:

  1. Log in to the Oracle Identity Manager Design Console.

  2. Expand Resource Management.

  3. Double-click Resource Objects.

  4. Search for and open the Xellerate User resource object.

  5. Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector. Figure 1-5 shows the reconciliation action rules for trusted source reconciliation.

    Figure 1-5 Reconciliation Action Rules for Trusted Source Reconciliation

    Description of Figure 1-5 follows
    Description of "Figure 1-5 Reconciliation Action Rules for Trusted Source Reconciliation"

1.8 Roadmap for Deploying and Using the Connector

The following is the organization of information in the rest of this guide: