| Oracle® Identity Manager Connector Guide for IBM RACF Standard Release 9.0.4 Part Number E10156-01 |
|
|
View PDF |
| Oracle® Identity Manager Connector Guide for IBM RACF Standard Release 9.0.4 Part Number E10156-01 |
|
|
View PDF |
Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with third-party applications. The connector for IBM RACF is used to integrate Oracle Identity Manager with IBM RACF Standard.
Note:
Oracle Identity Manager connectors were referred to as resource adapters prior to the acquisition of Thor Technologies by Oracle.This chapter contains the following sections:
Reconciliation involves duplicating in Oracle Identity Manager additions of and modifications to user accounts on the target system. It is an automated process initiated by a scheduled task that you configure.
See Also:
The "Deployment Configurations of Oracle Identity Manager" section in Oracle Identity Manager Connector Framework Guide for conceptual information about reconciliation configurationsBased on the type of data reconciled from the target system, reconciliation can be divided into the following types:
Lookup fields reconciliation involves reconciling the following lookup fields of IBM RACF:
Group
TSO Procedure
TSO Account Number
User reconciliation involves reconciling the following user attributes in IBM RACF Standard.
| Name | Description | Data Type |
|---|---|---|
| User General Data | ||
| userid | User ID on the RACF system | String |
| owner | Owner of the user | String |
| name | Display name of the user | String |
| default group | Default group associated with the user | String |
| operations | Operations privilege | Number |
| auditor | Auditor privilege | Number |
| special | Special privilege | Number |
| grp access | Group access privilege | Number |
| department | Department name | String |
| User Group Data | ||
| Groups | Child table | Multivalued attribute |
| group name | Group name | String |
| revoke date | Revoke date associated with group | String |
| authorization | Authorization privilege | String |
| User TSO Data | ||
| TSO | Child table | Multivalued attribute |
| account number | TSO account number | String |
| procedure | TSO procedure name | String |
Provisioning involves creating or modifying a user's account information on the target system through Oracle Identity Manager. You use the Administrative and User Console to perform provisioning operations.
See Also:
The "Deployment Configurations of Oracle Identity Manager" section in Oracle Identity Manager Connector Framework Guide for conceptual information about provisioningFor this target system, the following fields are provisioned:
User Id
RACF Server
Password
Owner
Name
Installation Data
Default Group
DEpartment
Operations
Auditor
Special
Group Access
Group
Revoke Date
Authorization
Account Number
Procedure
Size
Unit
Maximum Size
The following table lists the functions that are available with this connector.
| Function | Type | Description |
|---|---|---|
| Create RACF New User | Provisioning | Creates a user account |
| Delete a RACF User | Provisioning | Deletes a user account |
| Name Updated | Provisioning | Changes the name of a user account |
| Password Updated | Provisioning | Changes the password of a user account |
| Owner Updated | Provisioning | Changes the owner of a user account |
| Department Updated | Provisioning | Changes the department of a user account |
| Default Group Updated | Provisioning | Changes the default group of a user account |
| Installation data Updated | Provisioning | Changes the installation data of a user account
Installation data is a field that can contain any installation, system, or project-related data. |
| Operations Updated | Provisioning | Changes the Operations attribute of a user account |
| Special Updated | Provisioning | Changes the Special attribute of a user account |
| Auditor Updated | Provisioning | Changes the Auditor attribute of a user account |
| Group Access Updated | Provisioning | Changes the Group Access attribute of a user account |
| Enables a RACF User | Provisioning | Enables a user account so that the user is able to log in to the IBM Mainframe server |
| Disables a RACF User | Provisioning | Disables a user account so that the user is not able to log in to the IBM Mainframe server |
| Connect Group | Provisioning | Connects a user to a group in IBM RACF |
| Disconnect Group | Provisioning | Removes a user from a group in IBM RACF |
| Add TSO to a User | Provisioning | Provides Time Sharing Options (TSO) access to a user
TSO is one of the subsystems in z/OS in IBM Mainframes. |
| Remove TSO | Provisioning | Removes TSO access from a user |
| Reconcile Lookup Field | Reconciliation | Reconciles the lookup fields |
| Reconcile User Data | Reconciliation | Reconciles user data |
See Also:
Appendix A for information about attribute mappings between Oracle Identity Manager and IBM RACF Standard.The connector supports the following languages:
Chinese Simplified
Chinese Traditional
English
French
German
Italian
Japanese
Korean
Portuguese (Brazilian)
Spanish
Note:
IBM RACF does not support the entry of non-ASCII characters. Refer to Chapter 5 for more information about this limitation.See Also:
Oracle Identity Manager Globalization Guide for information about supported special charactersThe files and directories that comprise this connector are compressed in the following directory on the installation media:
Security Applications/IBM RACF/IBM RACF Standard
These files and directories are listed in the following table.
| File in the Installation Media Directory | Description |
|---|---|
lib/JavaTask/xlUtilHostAccess.jar |
This JAR file contains the class files that are required for provisioning. |
lib/ScheduleTask/xlReconRACF.jar |
This JAR file contains the class files that are required for reconciliation. |
lib/ext/CustomizedCAs.jar |
This file is used to set up an SSL connection between Oracle Identity Manager and the IBM Mainframe server. |
lib/ext/InitialLoginSequence.txt |
This file contains the login sequence that the connector uses to connect to the IBM Mainframe server. The login sequence contains the sequence of values to be provided to the Telnet session between the connector and the IBM Mainframe server. These values are required to navigate through the various screens that are part of the TSO login process before reaching the READY prompt on the mainframe target server.
The values in this file are supplied in the form of variables that hold IT resource values and literals. This machine-dependent file must be altered after deployment. |
lib/ext/InputFields.txt |
This file contains values for the connection parameters that are required to connect to the IBM Mainframe server. This file is used with the testing utility. |
lib/ext/LogOutSequence.txt |
This file contains the logoff sequence that the connector uses to log off from the IBM Mainframe server. The logoff sequence contains the sequence of values to be provided to the Telnet session between the connector and the IBM Mainframe server. These values are required to navigate through the various screens that are part of the TSO logoff process from the READY prompt on the mainframe target server.
The values in this file are supplied in the form of variables that hold IT resource values and literals. This machine-dependent file must be altered after deployment. |
Scripts/DATAEXTT |
This file uses the decrypted copy of the IBM RACF database to extract user-related records required for reconciliation into temporary files. It is a member of a procedure library on the IBM Mainframe server. |
Scripts/DATAUNLD |
This file merges the data from the SYSTMDAT and JCLSRC files into a temporary file to submit a background job. This background job prepares a decrypted copy of the IBM RACF database and then calls the individual REXX code scripts to format the data. |
Scripts/JCLSRC |
This file is used to submit the background job for use in reconciliation. It is a member of a procedure library on the IBM Mainframe server. A procedure library is a partitioned dataset containing member files. |
Scripts/JOBSTAT |
This file determines the status of a background job used for reconciliation. It is a member of a procedure library on the IBM Mainframe server. |
Scripts/RECNLKUP |
This file provides lookup fields data. It is a member of a procedure library on the IBM Mainframe server. |
Scripts/RXDIFFER |
This file provides differences between the old and new database images. It is a member of a procedure library on the IBM Mainframe server. |
Scripts/RXDPTADD |
This file copies the user's department data from a temporary file and adds this information to the user's basic data. It is a member of a procedure library on the IBM Mainframe server. |
Scripts/RXGRPADD |
This file copies the user's group privilege data from a temporary file and adds this information to the user's basic data. It is a member of a procedure library on the IBM Mainframe server. |
Scripts/RXPRNTDT |
This file carries user reconciliation data from the IBM Mainframe to Oracle Identity Manager. It is a member of a procedure library on the IBM Mainframe server. |
Scripts/RXPRVADD |
This file copies the user's connect privilege data from a temporary file and adds this information to the user's basic data. It is a member of a procedure library on the IBM Mainframe server. |
Scripts/RXTSOADD |
This file copies the user's TSO data from a temporary file and adds this information to the user's basic data. It is a member of a procedure library on the IBM Mainframe server. |
Scripts/SYSTMDAT |
This file is used to provide job configuration parameters to the mainframe system. |
Files in the resources directory |
Each of these resource bundle files contains language-specific information that is used by the connector.
Note: A resource bundle is a file containing localized versions of the text strings that are displayed on the user interface of Oracle Identity Manager. These text strings include GUI element labels and messages displayed on the Administrative and User Console. |
xml/RACFnonTrusted.xml |
These XML files contain definitions for the following components of the connector:
|
xml/RACFTrusted.xml |
This XML file contains the configuration for the Xellerate User. You must import this file only if you plan to use the connector in trusted source reconciliation mode. |
Note:
The files in the
test directory are used only to run tests on the connector.The "Step 5: Copying External Code Files" section provides instructions to copy these files into the required directories.
You can use any one of the following methods to determine the release number of the connector.
To determine the release number of a connector:
Extract the contents of the xlReconRACF.jar file. This file is in the following directory on the installation media:
Security Applications/IBM RACF/IBM RACF Standard/lib/ScheduleTask
Open the manifest.mf file in a text editor. The manifest.mf file is one of the files bundled inside the xlReconRACF.jar file.
In the manifest.mf file, the release number of the connector is displayed as the value of the Version property.
Note:
If you maintain a copy of thexlReconRACF.jar file after deployment, you can use this method to determine the release number of the connector at any stage. After you deploy the connector, it is recommended that you use the "After Deployment" method, which is described in the following section.To determine the release number of a connector that has already been deployed:
See Also:
Oracle Identity Manager Design Console GuideOpen the Oracle Identity Manager Design Console.
In the Form Designer, open the process form. The release number of the connector is the value of the Version field.
