Property Mapping Rules
- CanonicalName ← vrtEntryCanonicalName
vrtEntryCanonicalName is a virtual property, set to the canonical name of the object in the connector.
Sample value:
COM/MYCOMPANY/MAINFRAME1/USER/USER1234
- cn ←→ racfid
On the RACF system, racfid is the user ID.
Sample value:
USER1234
- DistinguishedName ← vrtEntryDN
vrtEntryDN is a virtual property, set to the DN of the object in the connector. Activate the check box Force mapping against direction of synchronization.
Sample value:
racfid=USER1234,profiletype=user,cn=mainframe1,o=mycompany,c=com
- ObjectClass ←→ objectClass
The objectClass attribute (multi-valued) on the RACF system. Activate the check box Ignore case sensitivity.
Sample value:
TOP;RACFBASECOMMON;RACFUSER
- StructuralObjectClass ← vrtStructuralObjectClass
vrtStructuralObjectClass on the RACF system defines the single object class for the object type. Activate the check box Ignore case sensitivity.
Sample value:
RACFUSER
- UID_LDPDomain ← vrtIdentDomain
Create a fixed value property variable on the RACF side called vrtIdentDomain that is set to the value $IdentDomain$. Map this to UID_LDPDomain. This will cause a conflict and the Property Mapping Rule Conflict Wizard opens automatically.
To solve the conflict
- In the Property Mapping Rule Conflict Wizard, select the first option and click OK.
- On the Select an element... page, select Ident_Domain and click OK.
- Confirm the security prompt with OK.
- On the Edit property... page,
- Deactivate Save unresolvable keys.
- Activate Handle failure to resolve as error.
- To close the Property Mapping Rule Conflict Wizard, click OK.
- Activate the check box Force mapping against direction of synchronization.
Sample value:
RACF_DOMAIN
- vrtParentDN → vrtEntryParentDN
Create a fixed value property variable on the One Identity Manager side called vrtParentDN equal to a fixed string with value $UserLocation$. Map this to vrtEntryParentDN on the RACF side.
Sample value:
profiletype=user,cn=mainframe1,o=mycompany,c=com
- vrtRDN → vrtEntryRDN
Create a new variable on the One Identity Manager side of type "Script Property" with name vrtRDN and a data type of "string". In the Scripts section, enter one of the he following scripts in the Read script section, depending on whether your project is configured for C# or Visual Basic.
C# Script
references VI.TSUtils.dll;
return (VI.TargetSystem.Base.Utils.LDAP.RDN.Create("cn", useOldValues ? $cn[o]$ : $cn$).ToString()).Replace("cn=","racfid=");
VB Script
References VI.TSUtils.dll
Imports VI.TargetSystem.Base.Utils.LDAP
Dim name as String = ""
If useOldValues Then
name = $cn[o]$
Else
name = $cn$
End If
return RDN.Create("cn",name).ToString().Replace("cn=","racfid=")
Then map this to vrtEntryRDN on the RACF side.
Sample value:
USER1234
- userPassword → racfPassword
Used to change a user’s RACF password. A condition needs to be set on this rule to map the password only when there is a value to be copied.
To add a condition
- Create the mapping.
- Edit the property mapping rule.
- Expand the Condition for execution section at the bottom of the dialog.
- Click on Add condition and set the following condition (a blank password is indicated by using two apostrophe characters).
Left.UserPassword<>''
- UID_LDAPContainer ← vrLDAPContainerDN
This is a workaround needed to support group mappings. Create a new fixed value variable on the RACF side of type "String" with no value called vrtLDAPContainerDN with the value set to $UserLocation$. This generates a property mapping rule conflict.
To solve the conflict
- In the Property Mapping Rule Conflict Wizard, select the first option and click OK.
- On the Select an element... page, select DistinguishedName and click OK.
- Confirm the security prompt with OK.
- On the Edit property... page,
- Deactivate Save unresolvable keys.
- Activate Handle failure to resolve as error.
- Active Ignore case.
- To close the Property Mapping Rule Conflict Wizard, click OK.
Related Topics
Object Matching Rules
- DistinguishedName (primary rule) vrtEntryDN
vrtEntryDN is a virtual property, set to the DN of the object in the connector. This forms a unique ID to distinguish individual user objects on the RACF system.
To convert this mapping into an object matching rule
- Select the property mapping rule in the rule window.
- Click
in the rule view toolbar.
A message appears.
- Click Yes to convert the property mapping rule into an object matching rule and save a copy of the property mapping rule.
-
Edit the object mapping rule and ensure that the Case sensitive check box is not activated.
Sample value:
racfid=USER1234,profiletype=user,cn=mainframe1,o=mycompany,c=com
Related Topics
Sample User Mapping
The following figure shows the above user mapping in operation.
Group Mapping Information
This section shows a possible mapping between a user account in RACF and the standard One Identity Manager database table called LDAPGroup. The data set profile mapping used later also maps to LDAPGroup so a filter needs to be applied in order to tell these apart.
- When creating the group mapping, add a new schema class as follows.
Table 3: Schema class settings Property
Value
Schema type LDAPGroup Display name LDAPGroup (RACF Group) Class name LDAPGroup_racfgroup Select objects: Condition StructuralObjectClass='racfgroup' Select objects: Ignore case Activated - Select this new schema class, LDAPGroup (RACF Group) for this mapping to racfGroup(all) on the RACF side.
For more detailed information about setting up mappings, see the One Identity Manager Target System Synchronization Reference Guide.