Skip Headers
Oracle® Identity Manager Connector Guide for IBM RACF Advanced
Release 9.0.4

E10451-21
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

1 About the Connector

Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with external, identity-aware applications. This guide discusses the connector that enables you to use IBM RACF either as a managed (target) resource or as an authoritative (trusted) source of identity data for Oracle Identity Manager.

The advanced connector for IBM RACF provides a native interface between IBM RACF installed on an IBM z/OS mainframe and Oracle Identity Manager. The connector functions as a trusted virtual administrator on the target system, performing tasks related to creating and managing user profiles.

In the account management (target resource) mode of the connector, information about users created or modified directly on the target system can be reconciled into Oracle Identity Manager. In addition, you can use Oracle Identity Manager to perform provisioning operations on the target system.

In the identity reconciliation (trusted source) configuration of the connector, users are created or modified only on the target system and information about these users is reconciled into Oracle Identity Manager.

In the IBM RACF context, the term "user profile" is synonymous with "user account." If IBM RACF is configured as a target resource, then user profiles on IBM RACF correspond to accounts or resources assigned to OIM Users. In contrast, if IBM RACF is configured as a trusted source, then user profiles on IBM RACF correspond to OIM Users.

This chapter is divided into the following sections:

1.1 Certified Components

Table 1-1 lists the certified components.

Table 1-1 Certified Components

Item Requirement

Oracle Identity Manager

The Oracle Identity Manager can be one of the following:

  • Oracle Identity Manager Release 9.1.0.1 and any later BP in this release track

    Note: In this guide, Oracle Identity Manager release 9.1.0.x has been used to denote Oracle Identity Manager release 9.1.0.1 and future releases in the 9.1.0.x series that the connector supports.

  • Oracle Identity Manager 11g Release 1 (11.1.1.3.0) and any later BP in this release track

    Note: In this guide, Oracle Identity Manager release 11.1.1 has been used to denote Oracle Identity Manager 11g release 1 (11.1.1) and future releases in the 11.1.1.x series that the connector supports.

  • Oracle Identity Manager 11g Release 1 PS1 (11.1.1.5.0) and any later BP in this release track

  • Oracle Identity Manager 11g Release 1 PS2 (11.1.1.7.0) and any later BP in this release track

  • Oracle Identity Manager 11g Release 2 (11.1.2.0.1) and any later BP in this release track

    Note: In this guide, Oracle Identity Manager release 11.1.2.x has been used to denote Oracle Identity Manager 11g release 2 (11.1.2.0.1) or future releases in the 11.1.2.x series that the connector supports.

  • Oracle Identity Manager 11g Release 2 PS1 (11.1.2.1.0) and any later BP in this release track

  • Oracle Identity Manager 11g Release 2 PS2 (11.1.2.2.0) and any later BP in this release track

The connector does not support Oracle Identity Manager running on Oracle Application Server. For detailed information about certified components of Oracle Identity Manager, see the certification matrix on Oracle Technology Network at:

http://www.oracle.com/technetwork/documentation/oim1014-097544.html

JDK

The JDK version can be one of the following:

  • For Oracle Identity Manager release 9.1.0.x, use JDK 1.5 or a later release in the 1.5 series.

  • For Oracle Identity Manager release 11.1.1, use JDK 1.6, update 18 or later.

  • For Oracle Identity Manager release 11.1.2.x or later, use JDK 1.6, update 31 or later.

Target system

IBM RACF on z/OS 1.9 and above.

Infrastructure Requirements: Message transport layer between the Oracle Identity Manager and the mainframe environment

The infrastructure requirements can be one of the following:

  • TCP/IP with Advanced Encryption Standard (AES) encryption.

  • z/OS AES encryption.

Target system user account for reconciliation and provisioning operations

RACF authorized account with SystemAdministrators privileges

See Chapter 2, "Deploying the IDF Advanced Adapter for IBM RACF" for more information.

Product Libraries

The following are the product libraries:

  • z/OS standard Load Libraries. These libraries must be APF authorized.

  • ICHPWX01 and ICHRIX02 Exits reside in the LPA library. IRREVX01 resides in the Product Library.


1.2 Certified Languages

The connector supports the following languages:

  • Arabic

  • Chinese (Simplified)

  • Chinese (Traditional)

  • Danish

  • English

  • French

  • German

  • Italian

  • Japanese

  • Korean

  • Portuguese (Brazilian)

  • Spanish

See Also:

For information about supported special characters supported by Oracle Identity Manager, see one of the following guides:

1.3 Connector Architecture

The connector architecture is described in the following sections:

1.3.1 Connector Components

The connector contains the following components:

  • LDAP Gateway: The LDAP Gateway receives instructions from Oracle Identity Manager in the same way as any LDAP version 3 identity store. These LDAP commands are then converted into native commands for IBM RACF and sent to the Provisioning Agent. The response, which is also native to IBM RACF, is parsed into an LDAP-format response and returned to Oracle Identity Manager.

    During reconciliation, the LDAP Gateway receives event notification, converts the events to LDAP format, and then forwards them to Oracle Identity Manager or the events can be pulled by a Scheduled Task from Oracle Identity Manager that are stored in the LDAP Gateway internal store.

  • Provisioning Agent (Pioneer): The Provisioning Agent is a mainframe component. It receives native mainframe IBM RACF provisioning commands from the LDAP Gateway. These requests are processed against the IBM RACF authentication repository. The response is parsed and returned to the LDAP Gateway.

    Note:

    At some places in this guide, the Provisioning Agent is referred to as Pioneer.
  • Reconciliation Agent (Voyager): The Reconciliation Agent captures mainframe events by using exits, which are programs run after events in IBM RACF are processed. These events include the ones generated at the TSO logins, the command prompt, batch jobs, and other native events. All these events are stored in a subpool cache area that is established by a supplied, standard z/OS procedure (STARTUP). The Reconciliation Agent captures these events, transforms them into notification messages, and then sends them to Oracle Identity Manager through the LDAP Gateway.

    Note:

    At some places in this guide, the Reconciliation Agent is referred to as Voyager.
  • Message Transport Layer: The message transport layer enables the exchange of messages between the LDAP Gateway and the Reconciliation Agent and Provisioning Agent. TCP/IP protocol is used for the transport of messages.

    TCP/IP with Advanced Encryption Standard (AES) encryption using 128-bit cryptographic keys. The connector supports a message transport layer by using the TCP/IP protocol, which is functionally similar to proprietary message transport layer protocols.

1.3.2 Connector Operations

This section provides an overview of the following processes:

1.3.2.1 Full Reconciliation Process

Full reconciliation involves fetching existing user profile data from the mainframe to Oracle Identity Manager. If you configure the target system as a target resource, then this user profile data is converted into accounts or resources for OIM Users. If you configure the target system as a trusted source, then the user profile data is used to create OIM Users.

The following is a summary of the full reconciliation process:

Note:

For detailed instructions, see Chapter 2, "Deploying the IDF Advanced Adapter for IBM RACF" of this guide.
  1. You set values for the properties defined in the RACF Reconcile All Users scheduled task. You also specify whether you want to configure IBM RACF as a target resource or trusted source of Oracle Identity Manager.

  2. You run the scheduled task. The task sends a search request to the LDAP Gateway.

  3. The LDAP Gateway encrypts the search request and then sends it to the Provisioning Agent on the mainframe.

  4. The Provisioning Agent encrypts user profile data received from RACF and then passes this data to the LDAP Gateway.

  5. The LDAP Gateway decrypts the user profile data and passes it to Oracle Identity Manager.

  6. The next step depends on the setting in the scheduled task:

    • If you configure the target system as a target resource, then this user profile data is converted into accounts or resources for OIM Users.

    • If you configure the target system as a trusted source, then the user profile data is used to create OIM Users.

1.3.2.2 Initial LDAP Population and Reconciliation Process

This new reconciliation process allows for a faster reconciliation based on an Extracted File configured on the Mainframe that will be used to populated the internal LDAP store, which OIM can then use a normal Scheduled Task to reconcile all the data to Oracle Identity Manager.

The following is a summary of the full reconciliation process:

Note:

For detailed instructions, see Section 5.7, "Initial LDAP Gateway Population and Full Reconciliation" of this guide.
  1. Use IBM Utility to EXTRACT user data to a file.

  2. Configure Pioneer to use this file when needed.

    1. One this file has been created and used by OIM it will become stale and must be deleted. The file can be generated again if needed for re-populating or updating the Internal LDAP for OIM to reconcile the latest data.

  3. Once above File has been generated, use the OIM Scheduled Task "ReconcileUsersToInternalLDAP" to populate the LDAP Gateway internal store.

  4. After the LDAP store is populated by the Task, then the normal process for reconciling users from the LDAP can be run by using the "ReconcileAllLDAP Users."

    1. Using LMTS (Last Modified Timestamp) set to 0 will reconcile all users.

    2. Using LMTS (Last Modified Timestamp) set to a Date Range will reconcile all users that have changed since that Date.

    Note:

    If the _internalEnt_ property, located in LDAP_INSTALL_DIR/conf/racf.properties, is set to true, then the LDAP internal store will also be populated on an ongoing basis by the "real-time" event capture using Voyager and the EXIT(s). So after initial population and reconciliation the process will still continue to use the "ReconcileAllLdapUsersTask" using a Date range to reconcile these "real-time" event changes from data captured in the LDAP internal store.

1.3.2.3 Incremental (Real-Time) Reconciliation Process

Real-time reconciliation is initiated by the 3 exits that work in conjunction with the Reconciliation Agent. Figure 1-1 shows the flow of data during reconciliation.

Figure 1-1 Reconciliation Process

IBM RACF Recon Connector
Description of "Figure 1-1 Reconciliation Process"

The following is a summary of the incremental reconciliation process:

  1. Incremental reconciliation begins when a user profile is created, updated, or deleted on IBM RACF. This event might take place either directly on the mainframe or in response to a provisioning operation on Oracle Identity Manager.

  2. CHPWX01, ICHRIX02, and IRREVX01 are standard IBM RACF exits. These exits must be used in conjunction with the Reconciliation Agent. All of these exits detect RACF events and sends a message containing user profile data to Subpool 231 (cache). This message contains the minimum number of data items, such as the user ID and password, required to reconcile the event. For more information on these exits, refer to the guides specific to your target system.

  3. The Reconciliation Agent polls Subpool 231. It reads the message, converts to ASCII and encrypts the message prior to transport to the LDAP. This frees up the subpool.

  4. The Reconciliation Agent starts a connection with the LDAP Gateway using the IPAD= and PORT= parameters in the Voyager STC, and then sends the message to the gateway over TCP/IP.

    Note:

    Messages sent to the LDAP Gateway are encrypted using AES-128 encryption.
  5. The LDAP Gateway decrypts the message. The gateway then sends the message to Oracle Identity Manager or just stores the data internally for use by a Scheduled Task in Oracle Identity Manager.

  6. Oracle Identity Manager processes the message and creates or updates either the corresponding IBM RACF resource or the OIM User.

1.3.2.4 Provisioning Process

Figure 1-2 shows the flow of data during provisioning.

Figure 1-2 Provisioning Process

IBM RACF Provisioning Connector
Description of "Figure 1-2 Provisioning Process"

The following is a summary of the provisioning process:

  1. Provisioning data submitted from the Administrative and User Console is sent to the LDAP Gateway.

    Note:

    Oracle Identity Manager and the LDAP Gateway are installed on the same computer.
  2. The LDAP Gateway converts the provisioning data into mainframe commands, encrypts the commands, and then sends them to the mainframe computer over TCP/IP.

  3. The Provisioning Agent installed on the mainframe computer decrypts and converts the LDAP message from ASCII to EBCDIC.

  4. The Provisioning agent executes the commands, runs them on the mainframe and within the Pioneer STC (Started Task) using the RACF API (IRRSEQ00).

  5. The Provisioning Agent converts the RACF API output to ASCII and encrypts the message prior to sending back to the LDAP Gateway.

  6. The outcome of the operation on the mainframe is displayed on the Oracle Identity Manager console. A more detailed message is recorded in the connector log file.

1.4 Features of the Connector

The following are features of the connector:

1.4.1 Target Resource and Trusted Source Reconciliation

You can use the connector to configure IBM RACF as either a target resource or trusted source of Oracle Identity Manager.

1.4.2 Full and Incremental Reconciliation

After you deploy the connector, you perform full reconciliation to bring all existing user profile data from the target system to Oracle Identity Manager. After the first full reconciliation run, change-based or incremental reconciliation is automatically enabled and active. Incremental reconciliation is a real-time process. User profile changes on the target system are directly sent to Oracle Identity Manager or stored in the LDAP Gateway internal store.

You can perform a full reconciliation run at any time.

1.4.3 Encrypted Communication Between the Target System and Oracle Identity Manager

AES-128 encryption is used to encrypt data that is exchanged between the LDAP Gateway and the Reconciliation Agent and Provisioning Agent on the mainframe.

1.4.4 High Availability Feature of the Connector

The following are component-failure scenarios and the response of the connector to each scenario:

  • The LDAP Gateway is running and the mainframe stops responding

    1. Messages that are in the subpool cache are written to disk.

    2. When the mainframe is brought back online, event data written to disk is again stored in the subpool cache.

    3. The Reconciliation Agent reads data from the subpool cache and then sends messages to the LDAP Gateway.

  • The LDAP Gateway is running and the Provisioning Agent or mainframe stops responding

    The process task that sends provisioning data to the LDAP Gateway retries the task.

  • The Subpool is stopped by an administrator

    If an administrator stops the subpool, then it shuts down the Reconciliation Agent, thereby destroying any messages that are not transmitted. However, messages in the AES-encrypted file are not affected and can be recovered.

  • Mainframe agent to multiple failover LDAP Gateways

    Voyager -> LDAP (REAL-TIME AGENT RECON)

    Two LDAP Servers running behind DNS failover or VirtualIP. The Voyager Mainframe Agent will automatically recover to the correctly running LDAP server. Nothing needs to be configured as the DNS recovery or VirtualIP (F5) Load Balancer does all the work of switching.

  • LDAP not available to Mainframe Agent

    Voyager -> LDAP (REAL-TIME AGENT RECON)

    Voyager issues a CAN NOT CONNECT message for Automation. Voyager will not read any messages out of the SUBPOOL CACHE until a valid connection is made to the LDAP Server. Once a connection is establish the messages are process out of the SUBPOOL CACHE.

  • Voyager not available

    EXIT -> SUBPOOL

    Exit will continue to populate the SUBPOOL until Voyager restarts. Voyager will then read the data from the Subpool to process to the LDAP.

  • Using Oracle Identity Manager Cluster for real-time reconciliation

    LDAP -> Oracle Identity Manager

    Configure the xlconfig.xml file to list the Oracle Identity Manager RMI t:3 URLs for each Oracle Identity Manager.

    Configure the /etc/racfConnection.properties to list the Oracle Identity Manager RMI t:3 URLs for each Oracle Identity Manager.

  • Two Load Balanced LDAP servers for Oracle Identity Manager Provisioning

    Oracle Identity Manager -> LDAP

    ItResource URL configured to DNS/VirtualIP.

1.5 Connector Objects Used During Reconciliation and Provisioning

The following sections provide information about connector objects used during reconciliation and provisioning:

1.5.1 Supported Functions for Target Resource and Trusted Source Reconciliation

The connector supports reconciliation of user data from the following events:

  • Create user

  • Modify user

  • Change password

  • Reset password

  • Revoke user

  • Resume user

  • Delete user

  • Add user to group

  • Revoke user from group

  • Delete user from group

  • Create group

  • Alter group

  • Delete group

1.5.2 Supported Functions for Provisioning

Table 1-2 lists the provisioning functions supported by the connector.

Table 1-2 Supported Provisioning Functions

Function Description Mainframe Command

Create users

Adds new user on IBM RACF

ADDUSER

Create groups

Adds new group on IBM RACF

ADDGRP

Modify users

Modifies user information on IBM RACF

ALTUSER

Modify group

Modifies group information on IBM RACF

ALTGRP

Change passwords

Changes user password on IBM RACF in response to password changes made on Oracle Identity Manager through user self-service

ALTUSER

Reset passwords

Resets user password on IBM RACF

The passwords are reset by the administrator.

ALTUSER

Revoking user accounts

Sets IBM RACF user to a REVOKED state

ALTUSER

Resuming user accounts

Sets IBM RACF user to an ENABLED state

ALTUSER

Add user to group

Connects user with an IBM RACF group

CONNECT

Remove user from group

Disconnects user from an IBM RACF group

REMOVE

Revoke user from group

Revokes user's membership in an IBM RACF group

CONNECT REVOKE

Permit user to dataset

Permits user to be part of the data set ACL and gives them access rights to the data set

PERMIT

Remove user from dataset

Removes user from the data set ACL

PERMIT

Permit user to access general resource

Permits user to be part of the resource ACL and gives them access rights to the resource

PERMIT

Remove user from general resource

Removes user from the resource ACL

PERMIT

Grant security attribute to user

Provides non-value security attribute privileges to user

ALTUSER

Grant user to TSO segment

Provides TSO access and information to user

ALTUSER

Grant user to OMVS segment

Provides OMVS information to users

ALTUSER

Delete User

Deletes user from IBM RACF

DELUSER

Delete Group

Deletes group from IBM RACF

DELGRP

Add Dataset

Adds new dataset profile to IBM RACF

ADDSD

Modify Dataset

Modifies dataset information on IBM RACF

ALTDSD

Delete Dataset

Deletes dataset profile from IBM RACF

DELDSD

Define Resource

Adds new resource profile to IBM RACF

RDEFINE

Modify Resource

Modifies resource profile information in IBM RACF

RALTER

Delete Resource

Deletes resource profile from IBM RACF

RDELETE

Define Alias

Defines an alias in IBM RACF

DEFINE ALIAS

Delete Alias

Deletes an alias in IBM RACF

DELETE ALIAS

Refresh Setropts

Refreshes in-storage generic profiles in IBM RACF

SETROPTS RACLIST REFRESH


1.5.3 User Attributes for Target Resource Reconciliation and Provisioning

Table 1-3 lists attribute mappings between IBM RACF and Oracle Identity Manager for target resource reconciliation and provisioning. The OnBoardRacfUser and ModifyUser adapters are used for the Create User and Modify User provisioning operations, respectively.

Table 1-3 User Attributes for Target Resource Reconciliation and Provisioning

Process Form Field IBM RACF Attribute Description

cn

NAME

Full name

You can specify the format in which Full Name values are stored on the target system. Step 3 of Section 3.9, "Installing and Configuring the LDAP Gateway" describes the procedure.

cicsOpclass

CICS_OPCLASS

Operator class

cicsOpident

CICS_OPIDENT

Operator ID

cicsOpprty

CICS_OPPRTY

Operator priority

cicsRslkey

CICS_RSLKEY

Resource key 0–99

cicsTimeout

CICS_TIMEOUT

Timeout value

cicsTslkey

CICS_TSLKEY

Type key 1–99

cicsXrfsoff

CICS_XRFSOFF

Transaction off (Force|NoForce)

dfltGrp

DEFAULT-GROUP

Default group for the user

instdata

DATA

Installation-defined data for the user

netviewConsname

NETVIEW_CONSNAME

Console name

netviewCtl

NETVIEW_CTL

Control

netviewDomains

NETVIEW_DOMAINS

Domain name

netviewIc

NETVIEW_IC

Command|Command List

netviewMsgrecvr

NETVIEW_MSGRECVR

Message receiver

netviewNgmfadmn

NETVIEW_NGMFADMN

Administration (Y|N)

netviewNgmfvspn

NETVIEW_NGMFVSPN

View span

netviewOpclass

NETVIEW_OPCLASS

Operator class

omvsAssizemax

OMVS_ASSIZEMAX

Address space size

omvsAutouid

OMVS_AUTOUID

Generate auto user identifier

omvsCputimemax

OMVS_CPUTIMEMAX

CPU time

omvsFileprocmax

OMVS_FILEPROCMAX

Files per process

omvsHome

HOME

Homelocation

omvsMemlimit

OMVS_MEMLIMIT

Non-shared memory size

omvsMmapareamax

OMVS_MMAPAREAMAX

Memory map size

omvsProcusermax

OMVS_PROCUSERMAX

Processes per UID

omvsProgram

PROGRAM

Program

omvsShared

OMVS_SHARED

Shared user identifier

omvsShmemmax

OMVS_SHMEMMAX

Shared memory size

omvsThreadsmax

OMVS_THREADSMAX

Threads per process

omvsUid

UID

UID

owner

OWNER

Owner of the user profile

resumeDate

RESUME DATE

Future date from which the user will be allowed access to the system

revokeDate

REVOKE DATE

Future date from which the user's access to the system will be revoked

revoke

REVOKE|RESUME

Status of the user

tsoAcctNum

ACCTNUM

Default TSO account number on the TSO/E logon panel

tsoCommand

COMMAND

Command to be run during TSO/E logon

tsoDest

DEST

Default SYSOUT destination

tsoHoldclass

HOLDCLASS

Default hold class

tsoJobclass

JOBCLASS

Default job class

tsoMaxSize

MAXSIZE

Maximum region size the user can request at logon

tsoMsgclass

MSGCLASS

Default message class

tsoProc

PROC

Default logon procedure on the TSO/E logon panel

tsoSize

SIZE

Minimum region size if not requested at logon

tsoSysoutclass

SYSOUTCLASS

Default SYSOUT class

tsoUnit

UNIT

Default UNIT name for allocations

tsoUserdata

USERDATA

TSO-defined data for the user

uid

USER

Login ID

userPassword

PASSWORD

Password used to log in

waaccnt

WAACCNT

Account number for APPC or IBM z/OS processing

waaddr1

WAADDR1

Address line 1 for SYSOUT delivery

waaddr2

WAADDR2

Address line 2 for SYSOUT delivery

waaddr3

WAADDR3

Address line 3 for SYSOUT delivery

waaddr4

WAADDR4

Address line 4 for SYSOUT delivery

wabldg

WABLDG

Building for SYSOUT delivery

wadept

WADEPT

Department for SYSOUT delivery

waname

WANAME

User name for SYSOUT delivery

waroom

WAROOM

Room for SYSOUT delivery


1.5.4 Group Attributes for Target Resource Reconciliation and Provisioning

In Oracle Identity Manager 9.1.0.x and 11.1.1.5, the AddUserToGroup, RemoveUserFromGroup, RevokeUsersGroupMembership, RevokeAllMemberships, and ResumeAllMemberships adapters are used for group provisioning operations.

Table 1-4 lists group attribute mappings between IBM RACF and Oracle Identity Manager.

Table 1-4 Group Attributes for Target Resource Reconciliation and Provisioning in Oracle Identity Manager Releases 9.1.0.x and 11.1.1.5.

Child Form Field IBM RACF Attribute Description

cn

GROUP

Group ID

uniqueMember

USERS

Users associated with the group

adsp

ADSP

All permanent tape and DASD data sets created by the user are RACF-protected by discrete profiles

at

AT

Node the command should run under

onlyat

ONLY AT

Only node that the command should run under

auditor

AUDITOR

User has the group-AUDITOR attribute

authority

AUTHORITY

User's level of authority in the group

grpacc

GRPACC

Group data sets defined by user are automatically accessible to other users in the group

operations

OPERATIONS

User has the group-OPERATIONS attribute

owner

OWNER

Owner of the connect profile

resume

RESUME

User is allowed to access the system

resumeDate

RESUME(date)

The date that the user is allowed to access the system

noresume

NORESUME

Specifies that RACF is to clear the RESUME date field

revoke

REVOKE

User is no longer allowed to access the system

revokeDate

REVOKE(date)

The date that the user is no longer allowed to access the system

norevoke

NOREVOKE

Specifies that RACF is to clear the REVOKE date field

special

SPECIAL

User has the group-SPECIAL attribute

uacc

UACC

Universal access authority for all new resource profiles while connected to group


In Oracle Identity Manager Release 11.1.2.x, the AddUserToGroupR2 and RemoveUserFromGroupR2 adapters are used for group provisioning operations. Table 1-5 lists group attribute mappings between IBM RACF and Oracle Identity Manager release 11.1.2.x.

Table 1-5 Group Attributes for Target Resource Reconciliation and Provisioning in Oracle Identity Manager Release 11.1.2.x.

Child Form Field IBM RACF Attribute Description

MEMBER_OF

GROUP

Group ID


1.5.5 Security Attributes for Target Resource Reconciliation and Provisioning

In Oracle Identity Manager Releases 9.1.0.x and 11.1.1.5, the ModifyUser adapter is used for security attribute provisioning operations.

In Oracle Identity Manager release 11.1.2.x, the AddUserToSecurityAttributeR2 and RemoveUserFromSecurityAttributeR2 adapters are used for security attribute provisioning operations.

The following lists shows nonvalue security attribute support for provisioning and reconciliation operations between IBM RACF and Oracle Identity Manager:

  • ADSP

  • AUDITOR

  • CICS

  • DCE

  • DFP

  • EXPIRED

  • GRPACC

  • NETVIEW

  • OIDCARD

  • OMVS

  • OPERATIONS

  • OPERPARM

  • OVM

  • PROTECTED

  • PROXY

  • RESTRICTED

  • SPECIAL

  • TSO

  • UAUDIT

1.5.6 Dataset Profile Attributes for Target Resource Reconciliation and Provisioning

Table 1-6 lists data set resource profile attribute mappings between IBM RACF and Oracle Identity Manager. In Oracle Identity Manager releases 9.1.0.x and 11.1.1.5, the AddUserToDataset, and RemoveUserFromDataset, adapters are used for data set provisioning operations. Reconciliation of user dataset information is supported but an out of the box configuration is not included. Adapters for AddDataset, ModifyDataset, and DeleteDataset are included in the connector and can be used to support provisioning of datasets.

In Oracle Identity Manager release 11.1.2.x, the AddUserToDatasetR2 and RemoveUserFromDatasetR2 adapters are used for user dataset provisioning operations. Reconciliation of user dataset information is not supported.

Table 1-6 Dataset Profile Attributes for Target Resource Provisioning

Child Form Field IBM RACF Attribute Description

dsname

PROFILE NAME

Profile ID

dsaccess

ACCESS

User's access level to the dataset

dsgeneric

GENERIC

Treat the dataset as a generic name


Note:

A pre-configured child form and process task for the following attributes is not included with the release. Instead, the Oracle Identity Manager adapter variables have been mapped to literal dummy values for the connector release. These values must be updated once the process is implemented. To provision create, modify, or delete dataset actions, the user will need to create a child form, update the adapter variable mappings in the adapter task, and create a process task for each respective dataset operation.

Table 1-7 Dataset Profile Attributes for Provisioning

Adapter Attribute IBM RACF Attribute

audit

AUDIT

addcategory

ADDCATEGORY

category

CATEGORY

instdata

DATA

erase

ERASE

fclass

FCLASS

fgeneric

FGENERIC

fileseq

FILESEQ

from

FROM

fvolume

FVOLUME

generic

GENERIC

level

LEVEL

model

MODEL

noset

NOSET

notify

NOTIFY

onlyat

ONLYAT

owner

OWNER

retpd

RETPD

seclabel

SECLABEL

seclevel

SECLEVEL

set

SET

setonly

SETONLY

tape

TAPE

uacc

UACC

unit

UNIT

volume

VOLUME


1.5.7 Resource Profile Attributes for Target Resource Reconciliation and Provisioning

Table 1-8 lists resource profile attribute mappings between IBM RACF and Oracle Identity Manager. In Oracle Identity Manager releases 9.1.0.x and 11.1.1.5, the AddUserToResource and RemoveUserFromResource adapters are used for resource profile provisioning operations. Reconciliation of user resource information is supported but an out of the box configuration is not included. Adapters for DefineResource, AlterResource, and DeleteResource are included in the connector and can be used to support provisioning of resources.

In Oracle Identity Manager release 11.1.2.x, the AddUserToResourceR2 and RemoveUserFromResourceR2 adapters are used for user resource profile provisioning operations. Reconciliation of user resource information is not supported.

Table 1-8 Resource Profile Attributes for Target Resource Provisioning

Child Form Field IBM RACF Attribute Description

id

RESOURCE PROFILE NAME

Profile ID

classname

RESOURCE CLASS NAME

Class type

access

RESOURCE ACCESS

User's access level to resource profile


Note:

A pre-configured child form and process task for the following attributes is not included with the release. Instead, the Oracle Identity Manager adapter variables have been mapped to literal dummy values for the connector release. These values must be updated once the process is implemented. To provision create, modify, or delete resource profile actions, the user will need to create a child form, update the adapter variable mappings in the adapter task, and create a process task for each respective resource profile operation.

Table 1-9 Resource Profile Attributes for Provisioning

Adapter attribute IBM RACF Attribute

audit

AUDIT

instdata

DATA

from

FROM

generic

GENERIC

level

LEVEL

owner

OWNER

uacc

UACC


1.5.8 User Attributes for Trusted Source Reconciliation

Table 1-10 lists attribute mappings between IBM RACF and Oracle Identity Manager for trusted source reconciliation.

Table 1-10 User Attributes for Trusted Source Reconciliation

OIM User Field IBM RACF Attribute Description

cn

NAME

Full name

uid

USER

Login ID

userPassword

PASSWORD

Password used to log in


1.5.9 Reconciliation Rule

See Also:

One of the following guides for generic information about reconciliation matching and action rules:

During target resource reconciliation, Oracle Identity Manager tries to match each user profile fetched from IBM RACF with existing IBM RACF resources provisioned to OIM Users. This is known as process matching. A reconciliation rule is applied for process matching. If a process match is found, then changes made to the user profile on the target system are copied to the resource on Oracle Identity Manager. If no match is found, then Oracle Identity Manager tries to match the user profile against existing OIM Users. This is known as entity matching. The reconciliation rule is applied during this process. If an entity match is found, then an IBM RACF resource is provisioned to the OIM User. Data for the newly provisioned resource is copied from the user profile.

During trusted reconciliation, the same reconciliation rule is applied for entity matching. If an entity match is found, then an OIM User is created out of the data in the reconciliation event.

The following is the reconciliation rule for both target resource and trusted source reconciliation:

Rule name: IdfReconUserRule

Rule element: User Login Equals uid

In this rule element:

  • User Login is the User ID field on the process form and the OIM User form.

  • uid is the USER attribute on IBM RACF.

After you deploy the connector, you can view this reconciliation rule by performing the following steps:

  1. On the Design Console, expand Development Tools and then double-click Reconciliation Rules.

  2. Search for and open the IdfReconUserRule rule.

1.5.10 Reconciliation Action Rules

Reconciliation action rules specify actions that must be taken depending on whether or not matching IBM RACF resources or OIM Users are found when the reconciliation rule is applied. Table 1-11 lists the reconciliation action rules for this connector.

Table 1-11 Reconciliation Action Rules

Rule Condition Action

No Matches Found

None

One Entity Match Found

Establish Link

One Process Match Found

Establish Link


Note:

No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. For information about modifying or creating reconciliation action rules, see one of the following guides:

After you deploy the connector, you can view the reconciliation action rules for target resource reconciliation by performing the following steps:

  1. On the Design Console, expand Resource Management and double-click Resource Objects.

  2. Search for and open the OIMRacfResourceObject resource object.

  3. Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector.