3.5 Configuring JIT

This section describes how to configure JIT.

The purpose of JIT is to manage users from LDAP/SSO. JIT is a one-way sync from LDAP/SSO source to the application. Hence all application users must be synced through JIT.

To configure JIT:
  1. Log in as SYSADMN and make the changes to the System Configuration Details:
    1. Select Authentication Type as LDAP Authentication and SMS Authorization.
    2. Click Add and provide your LDAP Server Details and click Save.
    3. Check the JIT Provisioning Enabled option.
  2. If a new user is added to a group or existing user is removed from a group, in the next login, remapping of the security attributes will be done only if JIT_IS_SYNC_GRP_ENABLED is set to Y. Execute the following statement to enable JIT sync.

    UPDATE CONFIGURATION set paramvalue = 'Y' where paramname='JIT_IS_SYNC_GRP_ENABLED';

    COMMIT;

  3. In the Authentication Server (for example, SAML , LDAP etc.), Application User Groups and User Mappings must be created.
  4. In the Atomic Schema a new table FCC_GROUP_SEC_ATTR_MAP is introduced to configure the Security attributes mapping to the Application User Groups. Login to Atomic Schema and configure security attributes to the User groups.
    1. V_GROUP_CD column must be populated with the User groups mapped to User.
    2. For OFSBD, valid values for V_SEC_ATTR_CD column are JRSDCN, ORG, BUSDMN, CORR_ID, SCNRO_GRP_ID.
    3. For OFSBD, valid values for V_SEC_ATTR_VAL column are Jurisdiction, Organization, Business domain, Correlation and Scenario Group. These are available in KDD_JRSDCN, KDD_ORG, KDD_BUS_DMN, KDD_CORR_RULE and KDD_SCNRO table respectively.
  5. For Configuring Security Mapping for the Pool Users, FCC_GROUP_SEC_ATTR_MAP table in Atomic Schema has been used.
    1. V_GROUP_CD column must be populated with the LORG group created.
    2. For OFS BD, valid values for V_SEC_ATTR_CD column are JRSDCN, ORG, BUSDMN, CORR_ID, SCNRO_GRP_ID.
    3. For OFS BD, valid values for V_SEC_ATTR_VAL column are Jurisdiction, Organization, Business domain, Correlation and Scenario Group. These are available in KDD_JRSDCN, KDD_ORG , KDD_BUS_DMN, KDD_CORR_RULE and KDD_SCNRO table respectively.
  6. Additional User Attributes:
    1. Alert Own Flag: Create ALERTOWNFLUG group in Authentication Server and map to the User. If Alert Own Flag for a User needs to be Y, then map this group to the User. If Alert Own Flag for a User needs to be N, then make sure it is not mapped to the User.
    2. Reporting/Line Organization: Create a User group with Prefix as ORG_CD (from KDD_ORG table) and suffix as LORG.
      For example: If TestOrgA is the Line organization then create a User group as TESTORGALORG.

      Note:

      The above User group is to be created and mapped to Infodom/Segment and LINEORG role in the OFSAA Application. It also needs to be created in Authentication Server (For example, SAML , LDAP etc.) and mapped to the User. Make sure for any User only one LORG group is mapped. If the LORG group is mapped as part of any other Application, then there is no need to map again.
  7. Log in with the New User in the Application and observe that the Security attributes mapping is done.
  8. If User group mapping does not have any change and there are only Security attribute mapping changes to be done, then log in as Admin user and navigate to Batch Maintenance and create a Batch. For OFSBD, add the BD task FN_FCC_JIT_SYNCH to it.
  9. To disable a user/users disabled on Authentication Server, login with Admin user and navigate to Batch Maintenance and create a Batch.
    1. For OFSBD, add the BD task FN_FCC_DISABLE_USR to it.
    2. Edit the Task, mention the User or User IDs comma separated in the Parameter section. It must be enclosed in Single Quotes.

      For example: 'AMSUP,KYCADMN' where AMSUP,KYCADMN are users that need to be disabled in the KDD_REVIEW_OWNERtable.