Chat now with support
Chat with Support

Identity Manager 8.0 - LDAP Connector for IBM RACF Reference Guide

System Filtering on Users and Groups

The IBM Tivoli Directory Server does not support standard LDAP filtering but a limited level of functionality is supported. The only attribute that can be filtered is racfid which can apply to both user and group names. This means that it is possible to filter on the names of both users and groups.

This is done by applying a system filter to either the racfuser or racfgroup objects of the form (racfid=<variable>*) where <variable> applies to a common prefix.

For example, to import only the users that start with "ABC" the following system filter should be applied to the racfuser object:

(racfid=ABC*)

To import only the groups beginning with "#1" the following system filter should be applied to the racfgroup object:

(racfid=#1*)

Data Set Profile Mapping Information

This section shows a possible mapping between a user account in RACF and the standard One Identity Manager database table called LDAPGroup (a group is the closest equivalent in One Identity Manager to a data set profile). A mapping for RACF group already exists, so a filter needs to be applied in order to tell these apart.

  • When creating the data set profile mapping, add a new schema class as follows.
    Table 4: Schema class settings

    Property

    Value

    Schema type LDAPGroup
    Display name LDAPGroup (Data set profile)
    Class name LDAPGroup_datasetprofile
    Select objects: Condition StructuralObjectClass='RACFDATASET'
    Select objects: Ignore case Activated
  • Select this new schema class, LDAPGroup (Data set profile) for this mapping to racfDataset(all) on the RACF side.

For more detailed information about setting up mappings, see the One Identity Manager Target System Synchronization Reference Guide.

Detailed information about this topic

Mandatory RACF Data Set Profile Attributes

When creating a data set profile in the RACF database, the following LDAP attributes must be defined:

  • objectclass
  • racfDataset
Related Topics

Property Mapping Rules

  • CanonicalName ← vrtEntryCanonicalName

    vrtEntryCanonicalName is a virtual property, set to the canonical name of the object in the connector.

    Sample value:

    COM/MYCOMPANY/MAINFRAME1/DATASET/ABCDB.*.**

  • cn ←→ racfDataset

    On the RACF system, this refers to the dataset profile ID.

    Sample value:

    ABCDB.*.**

  • DistinguishedName ← vrtEntryDN

    vrtEntryDN is a virtual property, set to the DN of the object in the connector.

    Sample value:

    racfdataset=ABCDB.*.**,profiletype=dataset,cn=mainframe1,o=mycompany,c=com

  • ObjectClass ←→ objectClass

    The objectClass attribute (multi-valued) on the RACF system. Activate the check box Ignore case sensitivity.

    Sample value:

    TOP;RACFBASECOMMON;RACFDATASET

  • StructuralObjectClass ← vrtStructuralObjectClass

    vrtStructuralObjectClass on the RACF system defines the single object class for the object type.

    Sample value:

    RACFDATASET

  • VRT_UID_LDPDomain ← vrtIdentDomain

    Create a fixed value property variable on the RACF side called vrtIdentDomain that is set to the value $IdentDomain$. Map this to VRT_UID_LDPDomain, the attribute created by One Identity Manager when this step was performed for a group mapping above.

    Sample value:

    RACF_DOMAIN

  • vrtDatasetParentDN → vrtEntryParentDN

    Create a fixed value property variable on the One Identity Manager side called vrtDatasetParentDN equal to a fixed string with value $DatasetLocation$. Map this to vrtEntryParentDN on the RACF side.

    Sample value:

    profiletype=dataset,cn=mainframe1,o=mycompany,c=com

  • vrtDatasetRDN → vrtEntryRDN

    Create a new variable on the One Identity Manager side of type "Script Property" with name vrtDatasetRDN and a data type of "string". In the Scripts section, enter one of the he following scripts in the "Read script" section, depending on whether your project is configured for C# or Visual Basic.

    C# Script

    references VI.TSUtils.dll;

    return (VI.TargetSystem.Base.Utils.LDAP.RDN.Create("cn", useOldValues ? $cn[o]$ : $cn$).ToString()).Replace("cn=","racfDataset=");

    VB Script

    References VI.TSUtils.dll

    Imports VI.TargetSystem.Base.Utils.LDAP

    Dim name as String = ""

    If useOldValues Then

    name = $cn[o]$

    Else

    name = $cn$

    End If

    return RDN.Create("cn",name).ToString().Replace("cn=","racfDataset=")

    Then map this to vrtEntryRDN on the RACF side.

    Sample value:

    ABCDB.*.**

  • BusinessCategory ←→ uid

    This is a multi-valued string that contains the RACF user IDs and the rights they have been granted for a particular data set profile. Changes to this list on the RACF side can be performed by synchronizing the necessary changes from the One Identity Manager side. BusinessCategory was chosen for the mapping as it was a pre-existing multi-valued string.

    Sample value:

    USER001(READ); USER002(ALTER); USER003(READ)

  • vrtDatasetMember ←→ racfPermitId

    This mapping is used to synchronize data set membership information.

    1. Create a new virtual entry on the One Identity Manager side of type "Members of M:N schema types" with name vrtDatasetMember. Activate the check boxes to Ignore case and Enable relative component handling.
    2. Add the following M:N schema types:

      1. Add an entry for LDAPAccountInLDAPGroup. Set the left box to UID_LDAPGroup and the right box to UID_LDAPAccount. Set the Primary Key Property to DistinguishedName.
      2. Add an entry for LDAPGroupInLDAPGroup. Set the left box to UID_LDAPGroupParent and the right box to UID_LDAPGroupChild. Set the Primary Key Property to DistinguishedName.

    3. Create a new mapping rule of type "Multi-reference mapping rule". Set the rule name to "Member" and the mapping direction to "Both directions". Set the One Identity Manager schema property to vrtDatasetMember and the RACF schema property to racfPermitId.

      NOTE: When this membership mapping has been set up at the same time as that for groups (vrtMember <-> racfGroupUserids in the group mapping) the data set synchronization will populate both the vrtDatasetMember and vrtMember attributes with the same values. The values stored in vrtMember can be ignored.
Related Topics
Related Documents