| Oracle® Identity Manager Connector Guide for IBM RACF Standard Release 9.0.3 Part Number B32353-01 |
|
|
View PDF |
| Oracle® Identity Manager Connector Guide for IBM RACF Standard Release 9.0.3 Part Number B32353-01 |
|
|
View PDF |
Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with third-party applications. The connector for IBM RACF is used to integrate Oracle Identity Manager with IBM RACF.
Note:
Oracle Identity Manager connectors were referred to as resource adapters prior to the acquisition of Thor Technologies by Oracle.This chapter contains the following sections:
The following table lists the functions that are available with this connector.
| Function | Type | Description |
|---|---|---|
| Create RACF New User | Provisioning | Creates a user account |
| Delete a RACF User | Provisioning | Deletes a user account |
| Name Updated | Provisioning | Changes the name of a user account |
| Password Updated | Provisioning | Changes the password of a user account |
| Owner Updated | Provisioning | Changes the owner of a user account |
| Department Updated | Provisioning | Changes the department of a user account |
| Default Group Updated | Provisioning | Changes the default group of a user account |
| Installation data Updated | Provisioning | Changes the installation data of a user account
Installation data is a field that can contain any installation, system, or project-related data. |
| Operations Updated | Provisioning | Changes the Operations attribute of a user account |
| Special Updated | Provisioning | Changes the Special attribute of a user account |
| Auditor Updated | Provisioning | Changes the Auditor attribute of a user account |
| Group Access Updated | Provisioning | Changes the Group Access attribute of a user account |
| Enables a RACF User | Provisioning | Enables a user account so that the user is able to log in to the IBM Mainframe server |
| Disables a RACF User | Provisioning | Disables a user account so that the user is not able to log in to the IBM Mainframe server |
| Connect Group | Provisioning | Connects a user to a group in IBM RACF |
| Disconnect Group | Provisioning | Removes a user from a group in IBM RACF |
| Add TSO to a User | Provisioning | Provides Time Sharing Options (TSO) access to a user
TSO is one of the subsystems in z/OS in IBM Mainframes. |
| Remove TSO | Provisioning | Removes TSO access from a user |
| Reconcile Lookup Field | Reconciliation | Reconciles the lookup fields |
| Reconcile User Data | Reconciliation | Reconciles user data |
See Also:
Appendix A for information about attribute mappings between Oracle Identity Manager and IBM RACF.This release of the connector supports the following languages:
English
Brazilian Portuguese
French
German
Italian
Japanese
Korean
Simplified Chinese
Spanish
Traditional Chinese
Note:
IBM RACF does not support the entry of non-ASCII characters. Refer to Chapter 4 for more information about this limitation.This section discusses the elements that the reconciliation module extracts from the target system to construct reconciliation event records.
Reconciliation can be divided into the following types:
Lookup fields reconciliation involves reconciling the following lookup fields of IBM RACF:
Group
TSO Procedure
TSO Account Number
User reconciliation involves reconciling the following user attributes in IBM RACF.
| Name | Description | Data Type |
|---|---|---|
| User General Data | ||
| userid | User ID on the RACF system | String |
| owner | Owner of the user | String |
| name | Display name of the user | String |
| default group | Default group associated with the user | String |
| operations | Operations privilege | Number |
| auditor | Auditor privilege | Number |
| special | Special privilege | Number |
| grp access | Group access privilege | Number |
| department | Department name | String |
| User Group Data | ||
| Groups | Child table | Multivalued attribute |
| group name | Group name | String |
| revoke date | Revoke date associated with group | String |
| authorization | Authorization privilege | String |
| User TSO Data | ||
| TSO | Child table | Multivalued attribute |
| account number | TSO account number | String |
| procedure | TSO procedure name | String |
The files and directories that comprise this connector are compressed in the following directory on the installation media:
Security Applications\IBM RACF\IBM RACF Standard
These files and directories are listed in the following table.
| File in the Installation Media Directory | Description |
|---|---|
lib\JavaTask\xlUtilHostAccess.jar |
This JAR file contains the class files that are required for provisioning. |
lib\ScheduleTask\xlReconRACF.jar |
This JAR file contains the class files that are required for reconciliation. |
lib\ThirdParty\CustomizedCAs.jar |
This file is used to set up an SSL connection between Oracle Identity Manager and the IBM Mainframe server. |
lib\ThirdPartyI\InitialLoginSequence.txt |
This file contains the login sequence that the connector uses to connect to the IBM Mainframe server. The login sequence contains the sequence of values to be provided to the Telnet session between the connector and the IBM Mainframe server. These values are required to navigate through the various screens that are part of the TSO login process before reaching the READY prompt on the mainframe target server.
The values in this file are supplied in the form of variables that hold IT resource values and literals. This machine-dependent file must be altered after deployment. |
lib\ThirdParty\InputFields.txt |
This file contains values for the connection parameters that are required to connect to the IBM Mainframe server. This file is used with the troubleshooting utility. |
lib\ThirdParty\LogOutSequence.txt |
This file contains the logoff sequence that the connector uses to log off from the IBM Mainframe server. The logoff sequence contains the sequence of values to be provided to the Telnet session between the connector and the IBM Mainframe server. These values are required to navigate through the various screens that are part of the TSO logoff process from the READY prompt on the mainframe target server.
The values in this file are supplied in the form of variables that hold IT resource values and literals. This machine-dependent file must be altered after deployment. |
RACF Scripts\DATAEXTT |
This file uses the decrypted copy of the IBM RACF database to extract user-related records required for reconciliation into temporary files. It is a member of a procedure library on the IBM Mainframe server. |
RACF Scripts\DATAUNLD |
This file merges the data from the SYSTMDAT and JCLSRC files into a temporary file to submit a background job. This background job prepares a decrypted copy of the IBM RACF database and then calls the individual REXX code scripts to format the data. |
RACF Scripts\JCLSRC |
This file is used to submit the background job for use in reconciliation. It is a member of a procedure library on the IBM Mainframe server. A procedure library is a partitioned dataset containing member files. |
RACF Scripts\JOBSTAT |
This file determines the status of a background job used for reconciliation. It is a member of a procedure library on the IBM Mainframe server. |
RACF Scripts\RECNLKUP |
This file provides lookup fields data. It is a member of a procedure library on the IBM Mainframe server. |
RACF Scripts\RXDIFFER |
This file provides differences between the old and new database images. It is a member of a procedure library on the IBM Mainframe server. |
RACF Scripts\RXDPTADD |
This file copies the user's department data from a temporary file and adds this information to the user's basic data. It is a member of a procedure library on the IBM Mainframe server. |
RACF Scripts\RXGRPADD |
This file copies the user's group privilege data from a temporary file and adds this information to the user's basic data. It is a member of a procedure library on the IBM Mainframe server. |
RACF Scripts\RXPRNTDT |
This file carries user reconciliation data from the IBM Mainframe to Oracle Identity Manager. It is a member of a procedure library on the IBM Mainframe server. |
RACF Scripts\RXPRVADD |
This file copies the user's connect privilege data from a temporary file and adds this information to the user's basic data. It is a member of a procedure library on the IBM Mainframe server. |
RACF Scripts\RXTSOADD |
This file copies the user's TSO data from a temporary file and adds this information to the user's basic data. It is a member of a procedure library on the IBM Mainframe server. |
RACF Scripts\SYSTMDAT |
This file is used to provide job configuration parameters to the mainframe system. |
Files in the resources directory |
Each of these resource bundle files contains language-specific information that is used by the connector.
Note: A resource bundle is a file containing localized versions of the text strings that are displayed on the user interface of Oracle Identity Manager. These text strings include GUI element labels and messages displayed on the Administrative and User Console. |
xml\racfResAdp.xml |
This XML file contains definitions for the following components of the connector:
|
The "Step 5: Copying External Code" section provides instructions to copy these files into the required directories.
To determine the release number of the connector that you have deployed:
Extract the contents of the xlReconRACF.jar file. For a connector that has been deployed, this file is in the following directory:
OIM_home\xellerate\JavaTasks
Open the manifest.mf file in a text editor. The manifest.mf file is one of the files bundled inside the xlReconRACF.jar file.
In the manifest.mf file, the release number of the connector is displayed as the value of the Version property.
See Also:
Oracle Identity Manager Design Console Guide