Sun Java System Identity Manager 6.0 Resources Reference 2005Q4M3 |
OS/400The OS/400 resource adapter is defined in the com.waveset.adapter.OS400ResourceAdapter class.
This adapter supports the following versions of IBM OS/400:
Resource Configuration Notes
None
Identity Manager Installation Notes
No additional installation procedures are required on this resource.
Usage Notes
Identity Manager supports three options for handling OS/400 objects that are associated with an account on an OS/400 resource. To enable this specialized support, you must use the OS400Deprovision form that is located in the Identity Manager sample directory. You must also edit the system configuration object; instructions for doing this are included in comments in the OS400Deprovision form. Once enabled, these options appear on the Delete Resource Accounts page when you choose to delete a user's OS/400 resource account.
Available delete options are:
- DLT - The user's resource account and associated OS/400 objects are deleted.
- NODLT - If the user has associated objects, his account is not deleted and associated OS/400 objects are not affected.
- CHGOWN - The user's resource account is deleted and associated OS/400 objects are assigned to a designated owner. CHGOWN is the default option. By default, OS/400 objects are assigned to the QDFTOWN profile.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager uses SSL to communicate with the OS/400 adapter.
Required Administrative Privileges
The following administrative privileges are required for this adapter:
- CRT: To add an OS/400 user, the administrator must have (1) *SECADM special authority, (2) *USE authority to the initial program, initial menu, job description, message queue, output queue, and attention-key-handling program if specified, and (3) *CHANGE and object management authorities to the group profile and supplemental group profiles, if specified.
- CHG: You must have *SECADM special authority, and *OBJMGT and *USE authorities to the user profile being changed, can specify this command. *USE authority to the current library, program, menu, job description, message queue, print device, output queue, or ATTN key handling program is required to specify these parameters.
- DLT: The user must have use (*USE) and object existence (*OBJEXIST) authority to the user profile. The user must have existence, use, and delete authorities to delete a message queue associated with and owned by the user profile. The user profile cannot be deleted if a user is currently running under the profile, or if it owns any objects and OWNOBJOPT(*NODLT) is specified. All objects in the user profile must first either be transferred to new owners by using the Change Object Owner (CHGOBJOWN) command or be deleted from the system. This can also be accomplished by specifying OWNOBJOPT(*DLT) to delete the objects or OWNOBJOPT(*CHGOWN user-profile-name) to change the ownership. Authority granted to the user does not have to be specifically revoked by the Revoke Object Authority (RVKOBJAUT) command; it is automatically revoked when the user profile is deleted.
- DSP: The user name can be specified as USRPRF(*ALL) or USRPRF(generic*-user-name) only when TYPE(*BASIC) and OUTPUT(*OUTFILE) are specified.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature
Supported?
Enable/disable account
Yes
Rename account
No
Pass-through authentication
No
Before/after actions
Yes
Data loading methods
Import directly from resource
Reconcile with resource
Account Attributes
The following table provides information about OS/400account attributes.
Note All attributes are strings, unless indicated otherwise.
Resource Object Management
None
Identity Template
$accountId$
Sample Forms
OS400UserForm.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following class:
com.waveset.adapter.OS400ResourceAdapter