5 Using the IBM RACF Advanced Connector

You can use the IBM RACF Advanced connector for performing reconciliation and provisioning operations after configuring it to meet your requirements.

The procedure to use the IBM RACF Advanced connector can be divided into the following topics:

• Guidelines on Using the IBM RACF Advanced Connector

• Scheduled Tasks for Lookup Field Synchronization

• Configuring the Security Attributes Lookup Field

• Configuring Reconciliation

• Configuring Account Status Reconciliation for IBM RACF Advanced Connector

• Scheduled Tasks for IBM RACF Advanced Connector

• Configuring Reconciliation Jobs

• Performing Provisioning Operations

5.1 Guidelines on Using the IBM RACF Advanced Connector

Apply the following guidelines while using the connector:

• The LDAP Gateway does not send the full attribute value when provisioning attribute values that contain one or more space characters. If this problem occurs, surround the attribute value in single quotation marks when populating the form field.

• The RACF connector LDAP gateway encrypts ASCII data transmitting the encrypted message to the mainframe. The mainframe decrypts this message, as the in bound message is in ASCII format, it is translated to EBCDIC for mainframe processing. As a result, any task that requires non-ASCII data transfer fails. In addition, there is no provision in the connector to indicate that the task has failed or that an error has occurred on the mainframe. To avoid errors of this type, you must exercise caution when providing inputs to the connector for the target system, especially when using a regional language interface.

• Passwords used on the mainframe must conform to stringent rules related to passwords on mainframes. These passwords are also subject to restrictions imposed by corporate policies and rules about mainframe passwords. Keep in mind these requirements when you create or modify target system accounts through provisioning operations on Oracle Identity Manager.

• The subpool must be started before starting the Reconciliation Agent. If the agent is started before the subpool, then an error message stating, "NO TOKEN FOUND", will be printed. Additionally, if the LDAP Gateway is not available when the Reconciliation Agent is started, then an error message is generated stating, "NO LDAP FOUND" will be printed.

• When you update the TSO_SIZE and TSO_MAXSIZE attributes during a provisioning operation, you must not include leading zeros in the value that you specify. For example, if you want to change the value of the SIZE attribute from 000001 to 000002, then enter 2 in the SIZE field on the Identity Self Service.

5.2 Scheduled Tasks for Lookup Field Synchronization

The scheduled tasks for lookup field synchronization populate lookup tables with facility, dataset, group, or profiles IDs that can be assigned during the user provisioning process.

The following are the scheduled tasks for lookup field synchronization:

• RACF Find All Resources

• RACF Find All Datasets

• RACF Find All Groups

These scheduled tasks populate lookup fields in Oracle Identity Manager with resource profiles, datasets, or group IDs. Values from these lookup fields can be assigned during user provisioning operations and reconciliation runs. When you configure these scheduled tasks, they run at specified intervals and fetch a listing of all resource, dataset, or group IDs on the target system for reconciliation.

Table 5-1 describes the attributes of the 3 scheduled tasks.

Table 5-1 Attributes of the Find All Resources, Find All Datasets, and Find All Groups Scheduled Tasks

Attribute	Description
IT Resource	Enter the name of the IT resource that was configured for the target system. Sample value: RACFResource
Resource Object	Enter the name of the resource object against which provisioning runs must be performed. Sample value: OIMRacfResourceObject
Lookup Code Name	Enter the name of the lookup code where OIM will store the results of the scheduled task. Sample value 1: Lookup.profileNames Sample value 2: Lookup.ResourceNames
Recon Type	This attribute determines how resources, datasets, or group memberships from the target system are populated in Oracle Identity Manager lookup definitions. You can use one of the following options: Append adds resources, datasets, or group membership entries from the target system that do not exist in the Lookup.ResourceNames, Lookup.DatasetNames, or Lookup.GroupNames lookup definitions. Any existing entries remain untouched. Replace removes all the existing entries in Lookup.ResourceNames, Lookup.DatasetNames, or Lookup.GroupNames lookup definition and replaces them with resources, datasets, or group membership entries from the target system. Merge handles entries in the following manner: If you are using the connector for a single installation of the target system, then resources, datasets, and group membership entries that exist in both the target system and Oracle Identity Manager are updated in the Lookup.ResourceNames, Lookup.DatasetNames, or Lookup.GroupNames lookup definitions. Resources, datasets, and group membership entries that exist only in the target system are added to the Lookup.ResourceNames, Lookup.DatasetNames, or Lookup.GroupNames lookup definitions. If you are using the connector for multiple installations of the target system, then only the resources, datasets, and group membership entries corresponding to the target system installation that you are using are updated or added. Entries that exist in both the target system and Oracle Identity Manager are updated in the Lookup.ResourceNames, Lookup.DatasetNames, or Lookup.GroupNames lookup definitions. Entries that exist only in the target system are added to the Lookup.ResourceNames, Lookup.DatasetNames, or Lookup.GroupNames lookup definitions. Default value: Merge
Resource Class Type Note: This attribute is available only in the RACF Find All Resources scheduled task.	Enter the name of the type of resource class you are reconciling. You can enter multiple resource class types as a comma-separated list. Sample value: FACILITY,CDT,OPERCMDS Note: Ensure that the resources list that you specify here matches the list that you have specified for the supportedResourceClasses property in the racf.properties file.

5.2.1 RACF Reconcile Groups To Internal LDAP

The RACF Reconcile Groups to Internal LDAP scheduled task is used to process the Group file extract from the target system to the internal LDAP store. When you configure this scheduled task, it runs at specified intervals and fetches a list of groups on the target system. Each of these groups is then reconciled to the internal LDAP store. No reconciliation to Oracle Identity Manager is performed.

Table 5-2 describes the attributes of the scheduled task.

Table 5-2 Attributes of the RACF Reconcile Groups To Internal LDAP Task

Attribute	Description
Domain OU	Enter the name of the internally-configured directory in the LDAP internal store where the contents of event changes will be stored. Sample value: racf
IT Resource	Enter the name of the IT resource that was configured for the target system. Sample value: RacfResource

5.2.2 RACF Find All LDAP Groups

This scheduled task populates lookup fields in Oracle Identity Manager with resource group IDs from internal LDAP. Values from these lookup fields can be assigned during user provisioning operations and reconciliation runs. When you configure this scheduled task, it runs at specified intervals and fetches a listing of all group IDs on the internal LDAP for reconciliation.

Table 5-3 describes the attributes of the scheduled task.

Table 5-3 Attributes of the RACF Find All LDAP Groups Task

Attribute	Description
IT Resource	Enter the name of the IT resource that was configured for the target system. Sample value: RacfResource Groups are reconciled from internal LDAP store using the IT Resource.
Secondary IT Resource	Enter the name of the secondary IT resource that was configured for the target system. Sample value: SecondResource Groups are stored in OIM in the following format:<Secondary IT Resource>~<Group Name>.
Filter	Filter to be specified in LDAP format. Sample value for Simple Filter: (cn=<groupID>) Sample value for Complex Filter: (&(commandflag=ADD)(cn=<groupID>))
Resource Object	Enter the name of the resource object against which provisioning runs must be performed. Sample value: OIMRacfResourceObject
Lookup Code Name	Enter the name of the lookup code where OIM will store the results of the scheduled task. Sample value: Lookup.GroupNames
Recon Type	This attribute determines how group memberships from the target system are populated in Oracle Identity Manager lookup definitions. You can use one of the following options: Append adds group membership entries from the target system that do not exist in the Lookup.GroupNames lookup definitions. Any existing entries remain untouched. Replace removes all the existing entries in Lookup.GroupNames lookup definition and replaces them with group membership entries from the target system. Merge handles entries in the following manner: If you are using the connector for a single installation of the target system, then group membership entries that exist in both the target system and Oracle Identity Manager are updated in the Lookup.GroupNames lookup definitions. Group membership entries that exist only in the target system are added to the Lookup.GroupNames lookup definitions. If you are using the connector for multiple installations of the target system, then only the group membership entries corresponding to the target system installation that you are using are updated or added. Entries that exist in both the target system and Oracle Identity Manager are updated in the Lookup.GroupNames lookup definitions. Entries that exist only in the target system are added to the Lookup.GroupNames lookup definitions. Default value: Merge
Domain OU	Enter the name of the internally-configured directory in the LDAP internal store where the contents of event changes will be stored. Sample value: ou=racf,ou=Groups
AttrsToReturn	Enter a comma-separated list of object attributes that the connector must retrieve from internal LDAP. For example, enter a comma-separated list of group attributes that the connector must fetch from LDAP and load into Oracle Identity Manager. . Sample value: cn,commandFlag Note: cn and commandFlag attributes are mandatory
DescTemplate	By default, when lookup reconciliation is performed, the lookup description is same as the lookup value in the lookup window. Therefore, if required, use the DescTemplate attribute to specify the attribute whose value must be used as the lookup description and displayed in the lookup window.
SearchBaseDN	This should be kept blank. This is reserved for future use.

5.3 Configuring the Security Attributes Lookup Field

The Lookup.RacfSecurityAttributeNames lookup definition is one of the lookup definitions that is created in Oracle Identity Manager when you deploy the connector. This lookup field is populated with standard RACF nonvalue security attributes such as ADSP, AUDIT, SPECIAL, and so on.

The IBM RACF Advanced connector includes a scheduled task to automatically populate the lookup field used for storing RACF security attributes.

This section contains the following topics:

• Attributes of the Find All Security Attributes Scheduled Task

• Adding Additional Security Attributes for Provisioning and Reconciliation

5.3.1 Attributes of the Find All Security Attributes Scheduled Task

The IBM RACF Advanced connector includes a scheduled task to automatically populate the lookup field used for storing RACF security attributes.

Note:

The Find All Security Attributes scheduled task does not query the target system for data. Instead, the scheduled task automatically populates the lookup field with "itResourceKey~sourceName" pairs based on the IT Resource and Find All Security Attributes scheduled task property values.

Table 5-4 describes the properties of the Find All Security Attributes scheduled task.

Table 5-4 Attributes of the Find All Security Attributes Scheduled Task

Attribute	Description
IT Resource	Enter the name of the IT resource that was configured for the target system. Sample value: RacfResource
Security Attributes	Enter a comma-separated list of RACF non-value security attributes. Sample value: ADSP, AUDIT, RESTRICTED, SPECIAL, UAUDIT
Lookup Code Name	Enter the name of the lookup code where Oracle Identity Manager will store the source entries. Sample value: Lookup.RacfSecurityAttributes
Recon Type	This attribute determines how security attributes from the target system are populated in Oracle Identity Manager lookup definitions. You can use one of the following options: Append adds security attributes from the target system that do not exist in the Lookup.RacfSecurityAttributes lookup definition. Any existing entries remain untouched. Replace removes all the existing entries in the Lookup.RacfSecurityAttributes lookup definition and replaces them with security attributes from the target system. Merge handles entries in the following manner: If you are using the connector for a single installation of the target system, then security attributes that exist in both the target system and Oracle Identity Manager are updated in the Lookup.RacfSecurityAttributes lookup definition. Security attributes that exist only in the target system are added to the Lookup.RacfSecurityAttributes lookup definitions. If you are using the connector for multiple installations of the target system, then only security attributes corresponding to the target system installation that you are using are updated or added. Security attributes that exist in both the target system and Oracle Identity Manager are updated in the Lookup.RacfSecurityAttributes lookup definition. Security attributes that exist only in the target system are added to the Lookup.RacfSecurityAttributes lookup definition. Default value: Merge

However, you can also manually add additional values. See Adding Additional Security Attributes for Provisioning and Reconciliation.

5.3.2 Adding Additional Security Attributes for Provisioning and Reconciliation

To add additional security attributes for provisioning and reconciliation:

1. Login to Oracle Identity Manager Design Console.
2. Expand Administration, and then double-click Lookup Definition.
3. Search for the Lookup.RacfSecurityAttributesNames lookup definition.
4. Click Add.
5. In the Code Key column, enter the name of the security attribute. Enter the same value in the Decode column. The following is a sample entry:

   Code Key: ITResource~ADSP Decode: ITResource~ADSP

6. Click the Save icon.

5.4 Configuring Reconciliation

The IBM RACF Advanced connector supports both incremental reconciliation (sometimes referred to as real-time reconciliation) and full reconciliation. This section discusses the following topics related to configuring reconciliation:

• Configuring Incremental Reconciliation

• Performing Full Reconciliation

• Reconciliation Scheduled Tasks

• Guidelines for Configuring Filtered Reconciliation to Multiple Resource Objects

5.4.1 Configuring Incremental Reconciliation

The Voyager agent and the LDAP gateway perform incremental reconciliation using the RACF Reconcile All LDAP Users scheduled task. To configure incremental reconciliation:

1. Ensure the racf.properties has the following set:
   • USE INTERNAL META STORE

     [true|false]_internalEnt_=true

   • USE GROUP INTERNAL META STORE

     [true|false]_internalGrpEnt_=true

2. Use the Last Modified Timestamp parameter of the IT resource to set a date range that will reconcile all users that have changed since that date.

   Note:

   If the _internalEnt_ property, located in LDAP_INSTALL_DIR/conf/racf.properties, is set to true, then the LDAP internal store will also be populated on an ongoing basis by the "real-time" event capture using Voyager and the EXIT(s). So after initial population and reconciliation the process will still continue to use the RACF Reconcile All LDAP Users scheduled task using a Date range to reconcile these real-time event changes from data captured in the LDAP internal store.

5.4.2 Performing Full Reconciliation

Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Manager.

After you deploy the connector, you must first perform full reconciliation. After first-time reconciliation, the connector will automatically switch to performing incremental reconciliation based on the time stamp value present in the IT resource.

To perform full reconciliation in a set up that involves LDAP gateway as an intermediary datastore between the RACF target system and Oracle Identity Manager, choose one of the options:

• If you are performing reconciliation for the first time, then:
  1. Generate an EXTRACT reconciliation file on the RACF target system. To do so:
     1. For z/OS 2.3 :

        On the mainframe, execute the RACFRCOU or RACFRCOG batch jobs for reconciling Users or Groups, respectively. These batch jobs populate user and group data in the &HLQ..PIONEER.IMPORTU.FILE dataset (referenced with DD name //FULLIMPU inside PIONEER STC Procedure) and &HLQ..PIONEER.IMPORTG.FILE dataset (referenced with DD name //FULLIMPG inside PIONEER STC Procedure), respectively.

        These batch jobs are a member of the <hlq>.JCLLIB dataset that is available in the etc/Provisioning and Reconciliation Connector/RACF-AGENTS-201905311134-6.0.0.zip file of the connector installation media.

        When Pioneer receives request for full reconciliation (user or group), it reads the corresponding dataset and sends the response back to gateway and clears the dataset. After each execution of full reconciliation, the corresponding file gets cleared. Therefore, if required, you must regenerate the EXTRACT file for populating the internal LDAP for Oracle Identity Manager to reconcile the latest data.

        For reconciling all Dataset profiles and General resource profiles from RACF DB, we are using RACF DB unload. In the distribution, we are shipping sample JCL, named RACFRC (<HLQ>.JCLLIB(RACFRC)). In this JCL, the first step is to take the RACF DB unload using IRRDBU00 utility. The details about this utility can be referred at: https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.icha700/usdbum.htm (Z/OS V2.4)

        Following steps in the Job are different sort steps, manipulating the RACF DB unload data for Datasets and general resource profile records and arranging them in sequence. The DD name IMPORTD maps to the final file containing all dataset profiles. This file name must match with the file name in PIONEER STC DD name FULLIMPD. The DD name IMPORTR maps to the final file containing all general resource profiles. This file name must match with the file name in PIONEER STC DD name FULLIMPR.

     2. For z/OS 2.4 :

        On the mainframe, execute the RACFRCOU or RACFRCOG batch jobs for reconciling Users or Groups, respectively. These batch jobs populate user and group data in the &HLQ..PIONEER.IMPORTU.FILE dataset (referenced with DD name //FULLIMPU inside PIONEER STC Procedure) and &HLQ..PIONEER.IMPORTG.FILE dataset (referenced with DD name //FULLIMPG inside PIONEER STC Procedure), respectively.

        These batch jobs are a member of the <hlq>.JCLLIB dataset that is available in the etc/Provisioning and Reconciliation Connector/RACF-AGENTS-201905311134-6.0.0.zip file of the connector installation media.

        When Pioneer receives request for full reconciliation (user or group), it reads the corresponding dataset and sends the response back to gateway and clears the dataset. After each execution of full reconciliation, the corresponding file gets cleared. Therefore, if required, you must regenerate the EXTRACT file for populating the internal LDAP for Oracle Identity Manager to reconcile the latest data.

        For reconciling all Dataset profiles and General resource profiles from RACF DB, we are using RACF DB unload. In the distribution, we are shipping sample JCL, named RACFRC (<HLQ>.JCLLIB(RACFRCOD) and <HLQ>.JCLLIB(RACFRCOR) ). In this JCL, the first step is to take the RACF DB unload using IRRDBU00 utility. The details about this utility can be referred at: https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.icha700/usdbum.htm (Z/OS V2.4)

        Following steps in the Job are different sort steps, manipulating the RACF DB unload data for Datasets and general resource profile records and arranging them in sequence. The DD name IMPORTD maps to the final file containing all dataset profiles. This file name must match with the file name in PIONEER STC DD name FULLIMPD. The DD name IMPORTR maps to the final file containing all general resource profiles. This file name must match with the file name in PIONEER STC DD name FULLIMPR.

  2. Set the value of the Last Modified Time Stamp parameter of the IT resource parameter to 0.
  3. Run the RACF Reconcile Users to Internal LDAP scheduled task.
  4. Run the RACF Reconcile Groups To Internal LDAP scheduled task.
  5. Run the RACF Reconcile Datasets To Internal LDAP scheduled task.
  6. Run the RACF Reconcile Resources To Internal LDAP scheduled task.
  7. Run the RACF Reconcile All LDAP Users scheduled task.

  Note:

  If you do not run the RACF Recon Users to Internal LDAP scheduled task with the EXTRACT recon file, then the RACF Reconcile LDAP Users scheduled task will always perform in incremental mode.
• If this not the first time that you are performing full reconciliation, then:
  1. Set the value of the Last Modified Time Stamp parameter of the IT resource parameter to 0.
  2. Run the RACF Reconcile All LDAP Users scheduled task.

Note:

If updates for a user are complete and the user is reconciles, in order to to see the datasets/resources again you need to run the following jobs again

• RACF Reconcile Datasets To Internal LDAP
• RACF Reconcile Resources To Internal LDAP
• RACF Reconcile All LDAP Users

This completes full reconciliation and from the next reconciliation run onward, the connector will automatically switch to incremental reconciliation by using the value in the Last Modified Time Stamp parameter of the IT resource.

To perform full reconciliation in a set up that does not involve LDAP gateway, run the RACF Reconcile All Users scheduled task. The scheduled job will always run in full reconciliation mode.

5.4.3 Reconciliation Scheduled Tasks

When you run the Connector Installer, these reconciliation scheduled tasks are automatically created in Oracle Identity Manager.

• RACF Reconcile All Users

• RACF Deleted User Reconciliation Using OIM

• RACF Reconcile Users to Internal LDAP

• RACF Reconcile All LDAP Users

5.4.3.1 RACF Reconcile All Users

The RACF Reconcile All Users scheduled task is used to reconcile user data in the target resource (account management) mode of the connector. This scheduled task runs at specified intervals and fetches create or modify events on the target system for reconciliation.

Table 5-5 describes the attributes of the scheduled task.

Table 5-5 Attributes of the RACF Reconcile All Users Scheduled Task

Attribute	Description
IT Resource	Enter the name of the IT resource that was configured for the target system. Sample value: RacfResource
Resource Object	Enter the name of the resource object against which reconciliation runs must be performed. Sample value: OIMRacfResourceObject
MultiValuedAttributes	Enter a comma-separated list of multivalued attributes that you want to reconcile. Do not include a space after each comma. Sample value:attributes,member of
SingleValueAttributes	Enter a comma-separated list of single-valued attributes that you want to reconcile. Do not include a space after each comma. Do not include attributes already listed in the MultiValueAttributes field. Sample value: uid,owner,defaultGroup,waddr1,tsoMaxSize Note: By default, Oracle Identity Manager's design form only allows entering up to 150 characters in a text field. To increase this limit, change the value of the TSA_VALUE column in Oracle Identity Manager database.
UID Case	Enter either "upper" or "lower" for the case for the UID attribute value. Sample value: upper
UsersList	Enter a comma-separated list of UIDs that you want to reconcile from the target system. If this property is left blank, all users on the target system will be reconciled. Sample value: userQA01,georgeb,marthaj,RST0354
Filter	Enter a filter criteria to search for and retrieve user records that match the given filter criteria. You can use any target system attribute to create the filter criterion. The filter criterion that you enter must be a valid filter according to RFC2254. The filter can be either simple or complex. A simple filter uses only a (uid=<userid>) condition whereas a complex filter is a combination of one or more attributes. Sample value for a simple filter: (uid=<userid>) Sample value for a complex filter: (&(commandflag=UPDATE)(revoke=n)) This complex filter searches for and retrieves all user records whose commandflag attribute value is UPDATE and revoke is n. Note: If you specify a complex filter, then ensure that you have enabled the caching layer of the LDAP Gateway as described in Understanding the Caching Layer. If the caching layer is disabled, then the connector considers only the simple filter (uid=<userid>).

5.4.3.2 RACF Deleted User Reconciliation Using OIM

The RACF Reconcile Deleted Users to OIM scheduled task is used to reconcile data about deleted users in the target resource (account management) mode of the connector.

When you configure this scheduled task, it runs at specified intervals and fetches a list of users on the target system. These user names are then compared with provisioned users in Oracle Identity Manager. Any user profiles that exist within Oracle Identity Manager, but not in the target system, are deleted from Oracle Identity Manager.

Table 5-6 describes the attributes of the scheduled task.

Table 5-6 Attributes of the RACF Reconcile Deleted Users to Oracle Identity Manager Scheduled Task

Attribute	Description
IT Resource	Enter the name of the IT resource that was configured for the target system. Sample value:RacfResource
Resource Object	Enter the name of the resource object against which the delete reconciliation runs must be performed. Sample value: OIMRacfResourceObject
Recon Matching Rule Attributes	Enter a comma-separated list of attributes used in the matching rule. If the IT resource is used, enter IT. Sample value: UID,IT

5.4.3.3 RACF Reconcile Users to Internal LDAP

The RACF Reconcile Users to Internal LDAP scheduled task is used to process the CFILE extract from the target system to the internal LDAP store. When you configure this scheduled task, it runs at specified intervals and fetches a list of users and their profiles on the target system. Each of these users is then reconciled to the internal LDAP store. No reconciliation to Oracle Identity Manager is performed.

Table 5-7 describes the attributes of the scheduled task.

Table 5-7 Attributes of the RACF Reconcile Users to Internal LDAP Scheduled Task

Attribute	Description
IT Resource	Enter the name of the IT resource that was configured for the target system. Sample value: RacfResource
Domain OU	Enter the name of the internally-configured directory in the LDAP internal store where the contents of event changes will be stored.Sample value: racf

5.4.3.4 RACF Reconcile All LDAP Users

The RACF Reconcile All LDAP Users scheduled task is used to reconcile users from the internal LDAP store to Oracle Identity Manager. When you configure this scheduled task, it runs at specified intervals and fetches a list of users within the internal LDAP store and reconciles these users to Oracle Identity Manager.

Table 5-8 describes the attributes of the scheduled task.

Table 5-8 Attributes of the RACF Reconcile All LDAP Users Scheduled Task

Attribute	Description
IT Resource	Enter the name of the IT resource that was configured for the target system. Sample value: RacfResource
Secondary IT Resource	Enter the name of the secondary IT resource that was configured for the target system. Sample value: SecondResource
Resource Object	Enter the name of the resource object against which the delete reconciliation runs must be performed. Sample value: OIMRacfResourceObject
Domain OU	Enter the name of the internally-configured directory in the LDAP internal store where the contents of event changes will be stored.Sample value: racf
MultiValuedAttributes	Enter a comma-separated list of multivalued attributes that you want to reconcile. Do not include a space after each comma. Sample value: member of,attributes,datasets,resources
SingleValueAttributes	Enter a comma-separated list of single-valued attributes that you want to reconcile. Do not include a space after each comma. Do not include attributes already listed in the MultiValueAttributes field. Sample value: uid,owner,defaultGroup,waddr1,tsoMaxSize Note: By default, Oracle Identity Manager's design form only allows entering up to 150 characters in a text field. To increase this limit, change the value of the TSA_VALUE column in the Oracle Identity Manager database.
LDAP Time Zone	Enter the full OIM server timezone database name value. Do not use the abbreviated timezone value. To find out the timezone database name value refer to List of tz database time zones. Sample value: America/New York
UID Case	Enter whether the user ID should be displayed in uppercase or lowercase. Sample value: upper
Filter	Enter a filter criteria to search for and retrieve user records that match the given filter criteria. You can use any target system attribute to create the filter criterion. The filter criterion that you enter must be a valid filter according to RFC2254. The filter can be either simple or complex. A simple filter uses only a (uid=<userid>) condition whereas a complex filter is a combination of one or more attributes. Sample value for a simple filter: (uid=<userid>) Sample value for a complex filter: (&(commandflag=UPDATE)(revoke=n)) This complex filter searches for and retrieves all user records whose commandflag attribute value is UPDATE and revoke is n.

5.4.3.5 RACF Reconcile Datasets To Internal LDAP

The RACF Reconcile Datasets To Internal LDAP scheduled task is used to process the Datasets file extract from the target system to the internal LDAP store. When you configure this scheduled task, it runs at specified intervals and fetches a list of Datasets on the target system. Each of these Datasets is then reconciled to the internal LDAP store. No reconciliation to Oracle Identity Manager is performed.

Note:

• For z/OS 2.3 the <HLQ>.JCLLIB(RACFRC) job needs to be executed on the mainframe prior to executing this task.
• For z/OS 2.4 the <HLQ>.JCLLIB(RACFRCOD) job needs to be executed on the mainframe prior to executing this task.

Table 5-9 describes the attributes of the scheduled task.

Table 5-9 Attributes of the RACF Reconcile Datasets To Internal LDAP Task

Attribute	Description
Domain OU	Enter the name of the internally-configured directory in the LDAP internal store where the contents of event changes will be stored. Sample value: racf
IT Resource	Enter the name of the IT resource that was configured for the target system. Sample value: RacfResource

5.4.3.6 RACF Reconcile Resources To Internal LDAP

The RACF Reconcile Resources To Internal LDAP scheduled task is used to process the Resources file extract from the target system to the internal LDAP store. When you configure this scheduled task, it runs at specified intervals and fetches a list of Resources on the target system. Each of these Resources is then reconciled to the internal LDAP store. No reconciliation to Oracle Identity Manager is performed.

Note:

• For z/OS 2.3 the <HLQ>.JCLLIB(RACFRC) job needs to be executed on the mainframe prior to executing this task.
• For z/OS 2.4 the <HLQ>.JCLLIB(RACFRCOR) job needs to be executed on the mainframe prior to executing this task.

Table 5-10 describes the attributes of the scheduled task.

Table 5-10 Attributes of the RACF Reconcile Resources To Internal LDAP Task

Attribuite	Description
Domain OU	Enter the name of the internally-configured directory in the LDAP internal store where the contents of event changes will be stored. Sample value: racf
IT Resource	Enter the name of the IT resource that was configured for the target system. Sample value: RacfResource

5.4.4 Guidelines for Configuring Filtered Reconciliation to Multiple Resource Objects

Some organizations use multiple resource objects to represent multiple user types in their system. The Resource Object property of the RACF Reconcile All Users scheduled task is used to specify the resource object used during reconciliation, and you can enter more than one resource object in the value of the Resource Object attribute. Further, you can include IBM RACF attribute-value pairs to filter records for each resource object.

See Also:

RACF Reconcile All Users for information about the RACF Reconcile All Users scheduled task

The following is a sample format of the value for the Resource Object attribute:

(ATTRIBUTE1:VALUE1)RESOURCE_OBJECT1,RESOURCE_OBJECT2

As shown by RESOURCE_OBJECT2 in the sample format, specifying a filter attribute is optional, but if more than one resource object is specified, you must specify a filter for each additional resource object. If you do not specify a filter attribute, then all records are reconciled to the first resource object in the list. Further, the filters are checked in order, so the resource object without a filter attribute should be included last in the list.

Filter attributes should be surrounded by parentheses.

Apply the following guidelines while specifying a value for the Resource Object attribute:

• The names of the resource objects must be the same as the names that you specified while creating the resource objects in the Oracle Identity Manager Design Console.

• The IBM RACF attribute names must be the same as the names used in the LDAP Gateway configuration files.

• The value must be a regular expression as defined in the java.util.regex Java package. Note that the find() API call of the regex matcher is used rather than the matches() API call. This means that a substring matching rule can be specified in the pattern, rather than requiring the entire string matching rule.

  Further, substring matching is case-sensitive. A "(tso)" filter will not match a user with the user ID "TSOUSER1".

• Multiple values can be matched. Use a vertical bar (|) for a separator as shown in the following example:

  (ATTRIBUTE:VALUE1|VALUE2|VALUE3)RESOURCE_OBJECT

• Multiple filters can be applied to the attribute and to the same resource object. For example:

  (ATTRIBUTE1:VALUE1)&(ATTRIBUTE2:VALUE2)RESOURCE_OBJECT

The following is a sample value for the Resource Object attribute:

(tsoProc:X)TSSR01,(instdata:value1|value2|value3)RacfResourceObject2,(tso)RacfResourceObject24000,Resource

In this sample value:

• (tsoProc:X)TSSRO1 represents a user with X as the attribute value for the TSO Proc segment. Records that meet this criterion are reconciled with the TSSRO1 resource object.

• (instdata:value1|value2|value3)RacfResourceObject2 represents a user with value1, value2, or value3 as their INSTDATA attribute value. Records that meet this criterion are reconciled with the RacfResourceObject2 resource object.

• (tso)RacfResourceObject24000 represents a user with TSO privileges. A TSO attribute value is not specified. Records that meet this criterion are reconciled with the RacfResourceObject24000 resource object.

• All other records are reconciled with the resource object.

5.5 Configuring Account Status Reconciliation for IBM RACF Advanced Connector

Note:

This section describes an optional procedure. Perform this procedure only if you want reconciliation of user status changes on IBM RACF.

When a user is disabled or enabled on the target system, the status of the user can be reconciled into Oracle Identity Manager. To configure reconciliation of user status changes made on IBM RACF:

1. In the RACF Reconcile All Users scheduled task, add the Status attribute to the SingleValueAttributes property list.
2. Log in to the Design Console:

   • In the OIMRacfSecretResourceObject resource object, create a reconciliation field to represent the Status attribute.

   • In the OIMRacfProvisioningProcess process definition, map the field for the Status field to the OIM_OBJECT_STATUS field.

5.6 Scheduled Tasks for IBM RACF Advanced Connector

Table 5-11 lists the scheduled tasks that you must configure.

Table 5-11 Scheduled Tasks for Lookup Field Synchronization and Reconciliation for IBM RACF

Scheduled Task	Description
RACF Find All Resources	This scheduled task is used to synchronize the values of resource profile lookup fields between Oracle Identity Manager and the target system. For information about this scheduled task and its attributes, see Scheduled Tasks for Lookup Field Synchronization.
RACF Find All Datasets	This scheduled task is used to synchronize the values of dataset lookup fields between Oracle Identity Manager and the target system. For information about this scheduled task and its attributes, see Scheduled Tasks for Lookup Field Synchronization.
RACF Find All Groups	This scheduled task is used to synchronize the values of group lookup fields between Oracle Identity Manager and the target system. For information about this scheduled task and its attributes, see Scheduled Tasks for Lookup Field Synchronization.
RACF Find All Security Attributes	This scheduled task is used to automatically populate the security attributes lookup field with IT Resource Key~Security Attribute Name pairs. For information about this scheduled task and its attributes, see Configuring the Security Attributes Lookup Field.
RACF Reconcile All Users	This scheduled task is used to fetch user data during target resource reconciliation. For information about this scheduled task and its attributes, see RACF Reconcile All Users.
RACF Reconcile Deleted Users to OIM	This scheduled task is used to fetch data about deleted users during target resource reconciliation. During a reconciliation run, for each deleted user account on the target system, the RACF User resource is revoked for the corresponding OIM User. For information about this scheduled task and its attributes, see RACF Deleted User Reconciliation Using OIM.
RACF Reconcile Users to Internal LDAP	This scheduled task is used to reconcile users from the target system to the internal LDAP store. For information about this scheduled task and its attributes, see RACF Reconcile Users to Internal LDAP.
RACF Reconcile All LDAP Users	This scheduled task is used to reconcile users from the internal LDAP store to Oracle Identity Manager. For information about this scheduled task and its attributes, see RACF Reconcile All LDAP Users.

5.7 Configuring Reconciliation Jobs

Configure reconciliation jobs to perform reconciliation runs that check for new information on your target system periodically and replicates the data in Oracle Identity Governance.

You can apply this procedure to configure the reconciliation jobs for users and entitlements.

To configure a reconciliation job:

1. Log in to Identity System Administration.
2. In the left pane, under System Management, click Scheduler.
3. Search for and open the scheduled job as follows:
   1. In the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.
   2. In the search results table on the left pane, click the scheduled job in the Job Name column.
4. On the Job Details tab, you can modify the parameters of the scheduled task:
   • Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.
   • Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type. See Creating Jobs in Oracle Fusion Middleware Administering Oracle Identity Governance.

   In addition to modifying the job details, you can enable or disable a job.

5. On the Job Details tab, in the Parameters region, specify values for the attributes of the scheduled task.

   Note:

   Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed.

6. Click Apply to save the changes.

   Note:

   You can use the Scheduler Status page in Identity System Administration to either start, stop, or reinitialize the scheduler.

5.8 Performing Provisioning Operations

You create a new user in Identity Self Service by using the Create User page. You provision or request for accounts on the Accounts tab of the User Details page.

To perform provisioning operations in Oracle Identity Governance:

1. Log in to Identity Self Service.
2. Create a user as follows:
   1. In Identity Self Service, click Manage. The Home tab displays the different Manage option. Click Users. The Manage Users page is displayed.
   2. From the Actions menu, select Create. Alternatively, you can click Create on the toolbar. The Create User page is displayed with input fields for user profile attributes.
   3. Enter details of the user in the Create User page.
3. On the Account tab, click Request Accounts.
4. In the Catalog page, search for and add to cart the application instance for the connector that you configured earlier, and then click Checkout.
5. Specify value for fields in the application form and then click Ready to Submit.
6. Click Submit.

See Also:

Creating a User in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance for details about the fields on the Create User page