Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with third-party applications. This guide discusses the procedure to deploy the connector that is used to integrate Oracle Identity Manager with IBM RACF Standard.
Note:
The Oracle Identity Manager Advanced connector for IBM RACF provides an agent-based architecture for integrating IBM RACF with Oracle Identity Manager. For more information, see the guide for that connector.This chapter contains the following sections:
Section 1.5, "Lookup Definitions Used During Reconciliation and Provisioning"
Section 1.6, "Connector Objects Used During Target Resource Reconciliation and Provisioning"
Section 1.7, "Connector Objects Used During Trusted Source Reconciliation"
Section 1.8, "Roadmap for Deploying and Using the Connector"
Note:
In this guide, the term Oracle Identity Manager server refers to the computer on which Oracle Identity Manager is installed.At some places in this guide, IBM RACF Standard has been referred to as the target system.
Table 1-1 lists the certified components for the connector.
Table 1-1 Certified Components
Component | Requirement |
---|---|
You can use one of the following releases of Oracle Identity Manager:
The connector does not support Oracle Identity Manager running on Oracle Application Server. For detailed information about certified components of Oracle Identity Manager, see the certification matrix on Oracle Technology Network at
|
|
IBM RACF on z/OS V1.13 |
|
The following Host Access Class Library (HACL) class files obtained from IBM Host On-Demand (HOD) version 11.0:
Note: My Oracle Support Patch 16034946 provides the latest version of the RACF connector and is certified with HOD 11.0. |
|
Target system user account |
Instructions to create an IBM RACF user account with the required privileges are given in Section 2.3.3, "Postinstallation on the Target System." You provide the credentials of this user account while configuring the IT resource. The procedure is described later in this guide. If the user account is not assigned the specified rights, then the "Authentication failure" message is displayed when Oracle Identity Manager tries to exchange data with the target system. |
JDK |
The JDK version can be one of the following:
|
The connector supports the following languages:
Arabic
Chinese Simplified
Chinese Traditional
Danish
English
French
German
Italian
Japanese
Korean
Portuguese (Brazilian)
Spanish
See Also:
For information about supported special characters supported by Oracle Identity Manager, see one of the following guides:For Oracle Identity Manager release 9.0.1 through 9.0.3.x and release 9.1.0.x:
Oracle Identity Manager Globalization Guide
For Oracle Identity Manager release 11.1.1:
Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager
For Oracle Identity Manager release 11.1.2:
Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager
The architecture of the connector is the blueprint for the functionality of the connector. Figure 1-1 shows the architecture of the connector.
Figure 1-1 Architecture of the Connector
The connector can be configured to run in one of the following modes:
Note:
In Oracle Identity Manager release 11.1.1 or Oracle Identity Manager release 11.1.2, a scheduled job is an instance of a scheduled task. In this guide, the term scheduled task used in the context of Oracle Identity Manager release 9.1.0.x is the same as the term scheduled job in the context of Oracle Identity Manager release 11.1.1 or Oracle Identity Manager release 11.1.2.See Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager for more information about scheduled tasks and scheduled jobs.
Identity reconciliation
In the identity reconciliation mode, IBM RACF Standard is used as the trusted source and users are directly created and modified on it.
During reconciliation, a scheduled task establishes a connection with the target system and sends reconciliation criteria to the APIs. The APIs extract user records that match the reconciliation criteria and hand them over to the scheduled task, which brings the records to Oracle Identity Manager.
Each record fetched from the target system is compared with existing OIM Users. If a match is found, then the update made to the record on the target system is copied to the OIM User attributes. If no match is found, then the target system record is used to create an OIM User.
Account Management
In the account management mode, IBM RACF Standard is used as a target resource. The connector enables the target resource reconciliation and provisioning operations. Through provisioning operations performed on Oracle Identity Manager, user accounts are created and updated on the target system for OIM Users. During reconciliation from the target resource, the IBM RACF Standard connector fetches into IBM RACF Standard data about user accounts that are created or modified on the target system. This data is used to add or modify resources allocated to OIM Users.
During provisioning operations, adapters carry provisioning data submitted through the process form to the target system. APIs on the target system accept provisioning data from the adapters, carry out the required operation on the target system, and return the response from the target system to the adapters. The adapters return the response to Oracle Identity Manager.
During reconciliation, a scheduled task establishes a connection with the target system and sends reconciliation criteria to the APIs. The APIs extract user records that match the reconciliation criteria and hand them over to the scheduled task, which brings the records to Oracle Identity Manager. The next step depends on the mode of connector configuration.
The following are features of the connector:
After you deploy the connector, you can perform full reconciliation to bring all existing user data from the target system to Oracle Identity Manager.
See Section 3.3.1, "Full Reconciliation" for more information.
You can use the connector to configure IBM RACF Standard as either a target resource or trusted source of Oracle Identity Manager.
See Section 3.3, "Configuring Reconciliation" for more information.
You can set a reconciliation filter by specifying values for one or more of the following scheduled task attributes:
Filter Auditor Privilege (Y/N)
Filter Default Group
Filter Group Access Privilege (Y/N)
Filter Name
Filter Operations Privilege (Y/N)
Filter Owner
Filter Special Privilege (Y/N)
Filter User Id
Filter Type (AND/OR)
This filter specifies the subset of newly added and modified target system records that must be reconciled.
See Section 3.3.2, "Limited Reconciliation" for more information.
You can break down a reconciliation run into batches by specifying the number of records that must be included in each batch.
See Section 3.3.3, "Batched Reconciliation" for more information.
Lookup definitions used during connector operations can be divided into the following categories:
During a provisioning operation, you use a lookup field on the process form to specify a single value from a set of values. For example, you use the Group lookup field to select a group to which a user must belong to from the list of available groups. When you deploy the connector, lookup definitions corresponding to the lookup fields on the target system are created in Oracle Identity Manager. Lookup field synchronization involves copying additions or changes made to the target system lookup fields into the lookup definitions in Oracle Identity Manager.
The following lookup definitions are populated with values fetched from the target system by the scheduled tasks for lookup field synchronization:
See Also:
Section 3.2, "Lookup Field Synchronization" for information about these scheduled tasksLookup.RACF.Groups
Lookup.RACF.Accounts
Lookup.RACF.Procedures
This section describes the other lookup definitions that are created in Oracle Identity Manager when you deploy the connector. These lookup definitions are either prepopulated with values or values must be manually entered in them after the connector is deployed.
Table 1-2 Other Lookup Definitions
Lookup Definition | Description of Values | Method to Specify Values for the Lookup Definition |
---|---|---|
Connect |
This lookup definition holds information about the authority that you can select for a target system account that you create through Oracle Identity Manager. |
This lookup definition is preconfigured. You can add or modify entries in this lookup definition. See one of the following guides for more information about modifying entries in a lookup definition:
|
See Also:
One of the following guides for conceptual information about reconciliation:For Oracle Identity Manager release 9.0.1 through 9.0.3.x and release 9.1.0.x: Oracle Identity Manager Connector Concepts
For Oracle Identity Manager release 11.1.1: Oracle Fusion Middleware User's Guide for Oracle Identity Manager
For Oracle Identity Manager release 11.1.2: Oracle Fusion Middleware User's Guide for Oracle Identity Manager
Section 1.6.1, "User Attributes for Target Resource Reconciliation and Provisioning"
Section 1.6.2, "Group Attributes for Target Resource Reconciliation and Provisioning"
Section 1.6.3, "TSO Attributes for Target Resource Reconciliation and Provisioning"
Section 1.6.4, "Reconciliation Rule for Target Resource Reconciliation"
Section 1.6.5, "Reconciliation Action Rules for Target Resource Reconciliation"
Table 1-3 provides information about user attribute mappings for target resource reconciliation and provisioning.
Table 1-3 User Attributes for Target Resource Reconciliation and Provisioning
Process Form Field | Target System Field | Description |
---|---|---|
userid |
USBD_NAME |
User ID that is determined from the user profile name |
owner |
USBD_OWNER_ID |
User ID or group that owns the profile |
name |
USBD_PROGRAMMER |
Display name associated with the user ID |
default group |
USBD_DEFGRP_ID |
Default group associated with the user |
operations |
USBD_OPER |
Specifies whether the user has the Operations privilege |
auditor |
USBD_AUDITOR |
Specifies whether the user has the Auditor privilege |
special |
USBD_SPECIAL |
Specifies whether the user has the Special privilege |
grp access |
USBD_GRPACC |
Specifies whether the user has the GRPACC privilege |
department |
USWRK_DEPARTMENT |
Department name |
Table 1-4 provides information about group attribute mappings for target resource reconciliation and provisioning.
Table 1-4 Group Attributes for Target Resource Reconciliation and Provisioning
Process Form Field | Target System Support Group Attribute | Description |
---|---|---|
Group |
USCON_GRP_ID |
Name of the group name with which the user is associated |
Revoke Date |
USCON_REVOKE_DATE |
Date on which the user's association with the group ends |
Authorisation |
GPMEM_AUTH |
Authorization privilege |
Table 1-5 provides information about TSO attribute mappings for target resource reconciliation and provisioning.
Table 1-5 TSO Attributes for Target Resource Reconciliation and Provisioning
Process Form Field | Target System TSO Attribute | Description |
---|---|---|
Account Number |
USTSO_ACCOUNT |
Default account number |
Procedure |
USTSO_LOGON_PROC |
Default procedure name |
Size |
USTSO_SIZE |
Default memory space allocated to the user in TSO |
Unit |
USTSO_UNIT |
Default unit of measurement of memory size |
Maximum Size |
USTSO_MAXIMUM_SIZE |
Default maximum memory space that can be allocated to the user in TSO |
See Also:
For generic information about reconciliation matching and action rules, see one of the following guides:For Oracle Identity Manager release 9.0.1 through 9.0.3.x and release 9.1.0.x: Oracle Identity Manager Connector Concepts
For Oracle Identity Manager release 11.1.1: Oracle Fusion Middleware User's Guide for Oracle Identity Manager
For Oracle Identity Manager release 11.1.2: Oracle Fusion Middleware User's Guide for Oracle Identity Manager
The following is the process-matching rule:
Rule Name: reconcile RACF data
Rule Element: User Login Equals userid
In this rule:
User Login is one of the following:
For Oracle Identity Manager release 9.0.1 through 9.0.3.x:
User ID attribute on the Xellerate User form.
For Oracle Identity Manager release 9.1.0.x or release 11.1.1:
User ID attribute on the OIM User form.
For Oracle Identity Manager release 11.1.2:
userid is the USBD_NAME attribute of the target system.
After you deploy the connector, you can view the reconciliation rule by performing the following steps:
Note:
Perform the following procedure only after the connector is deployed.Log in to the Oracle Identity Manager Design Console.
Expand Development Tools.
Double-click Reconciliation Rules.
Search for and open reconcile RACF data. Figure 1-2 shows this reconciliation rule.
Figure 1-2 Reconciliation Rule for Target Resource Reconciliation
Table 1-6 lists the action rules for target resource reconciliation.
Table 1-6 Action Rules for Target Resource Reconciliation
Rule Condition | Action |
---|---|
No Matches Found |
Assign to Administrator With Least Load |
One Entity Match Found |
Establish Link |
One Process Match Found |
Establish Link |
Note:
No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. For information about modifying or creating reconciliation action rules, see one of the following guides:For Oracle Identity Manager release 9.0.1 through 9.0.3.x and release 9.1.0.x: Oracle Identity Manager Design Console Guide
For Oracle Identity Manager release 11.1.1: Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager
For Oracle Identity Manager release 11.1.2: Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager
After you deploy the connector, you can view the reconciliation action rules for target resource reconciliation by performing the following steps:
Log in to the Oracle Identity Manager Design Console.
Expand Resource Management.
Double-click Resource Objects.
Search for and open the RACF User resource object.
Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector. Figure 1-3 shows the reconciliation action rule for target resource reconciliation.
Figure 1-3 Reconciliation Action Rules for Target Resource Reconciliation
Table 1-7 lists the provisioning functions that are supported by the connector. The Adapter column gives the name of the adapter that is used when the function is performed.
Table 1-7 Provisioning Functions
Function | Adapter |
---|---|
Create a RACF User |
adpCREATENEWRACFUSER |
Delete a RACF User |
adpRACFUSERDELETE |
Name Updated |
adpUPDATERACFUSERATTRIBUTE |
Password Updated |
adpSETRACFUSERPASSWORD |
Department Updated |
adpUPDATERACFUSERATTRIBUTE |
Default Group Updated |
adpUPDATERACFUSERATTRIBUTE |
Installation data Updated |
adpUPDATERACFUSERATTRIBUTE |
Operations Updated |
adpRACFUPDATEPRIVILEDGE |
Special Updated |
adpRACFUPDATEPRIVILEDGE |
Auditor Updated |
adpRACFUPDATEPRIVILEDGE |
Group Access Updated |
adpRACFUPDATEPRIVILEDGE |
Owner Updated |
adpUPDATERACFUSERATTRIBUTE |
Enable a RACF User |
adpRACFUSERENABLE |
Disable a RACF User |
adpRACFUSERDISABLE |
Connect Group |
adpCONNECTTOGROUP |
Disconnect Group |
adpDISCONNECTFROMGROUP |
Add TSO to a User |
adpADDTSOTORACFUSER |
Remove TSO |
adpREMOVETSO |
The following sections provide information about connector objects used during trusted source reconciliation:
Section 1.7.1, "User Attributes for Trusted Source Reconciliation"
Section 1.7.2, "Reconciliation Rule for Trusted Source Reconciliation"
Section 1.7.3, "Reconciliation Action Rules for Trusted Source Reconciliation"
Table 1-8 lists user attributes for trusted source reconciliation.
Table 1-8 User Attributes for Trusted Source Reconciliation
OIM User Form Field | Target System Attribute | Description |
---|---|---|
User ID |
USBD_NAME |
Common name |
First Name |
FName |
First name |
Last Name |
LName |
Last name |
Employee Type |
NA |
Default value: |
User Type |
NA |
Default value: |
Organization |
NA |
Default value: |
See Also:
For generic information about reconciliation matching and action rules, see one of the following guides:For Oracle Identity Manager release 9.0.1 through 9.0.3.x and release 9.1.0.x: Oracle Identity Manager Connector Concepts
For Oracle Identity Manager release 11.1.1: Oracle Fusion Middleware User's Guide for Oracle Identity Manager
For Oracle Identity Manager release 11.1.2: Oracle Fusion Middleware User's Guide for Oracle Identity Manager
The following is the process matching rule:
Rule name: RACF Trusted Rule
Rule element: User Login Equals userid
In this rule element:
User Login is the User ID field on the OIM User form.
userid is the USBD_NAME field of RACF Standard.
After you deploy the connector, you can view the reconciliation rule for target source reconciliation by performing the following steps:
Note:
Perform the following procedure only after the connector is deployed.Log in to the Oracle Identity Manager Design Console.
Expand Development Tools.
Double-click Reconciliation Rules.
Search for RACF Trusted Rule. Figure 1-4 shows the reconciliation rule for trusted source reconciliation.
Figure 1-4 Reconciliation Rule for Trusted Source Reconciliation
Table 1-9 lists the action rules for target source reconciliation.
Table 1-9 Action Rules for Target Source Reconciliation
Rule Condition | Action |
---|---|
No Matches Found |
Create User |
One Entity Match Found |
Establish Link |
One Process Match Found |
Establish Link |
Note:
No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. For information about modifying or creating reconciliation action rules, see one of the following guides:For Oracle Identity Manager release 9.0.1 through 9.0.3.x and release 9.1.0.x: Oracle Identity Manager Design Console Guide
For Oracle Identity Manager release 11.1.1: Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager
For Oracle Identity Manager release 11.1.2: Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager
After you deploy the connector, you can view the reconciliation action rules for target resource reconciliation by performing the following steps:
Log in to the Oracle Identity Manager Design Console.
Expand Resource Management.
Double-click Resource Objects.
Search for and open the Xellerate User resource object.
Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector. Figure 1-5 shows the reconciliation action rules for trusted source reconciliation.
Figure 1-5 Reconciliation Action Rules for Trusted Source Reconciliation
The following is the organization of information in the rest of this guide:
Chapter 2, "Deploying the Connector" describes procedures that you must perform on Oracle Identity Manager and the target system during each stage of connector deployment.
Chapter 3, "Using the Connector" describes guidelines on using the connector and the procedure to configure reconciliation runs and perform provisioning operations.
Chapter 4, "Extending the Functionality of the Connector" describes procedures that you can perform if you want to extend the functionality of the connector.
Chapter 5, "Testing and Troubleshooting" describes the procedure to use the connector testing utility for testing the connector.
Chapter 6, "Known Issues" lists known issues associated with this release of the connector.