System Filtering on Users and Groups
The IBM Tivoli Directory Server does not support standard LDAP filtering but a limited level of functionality is supported. The only attribute that can be filtered is racfid which can apply to both user and group names. This means that it is possible to filter on the names of both users and groups.
This is done by applying a system filter to either the racfuser or racfgroup objects of the form (racfid=<variable>*) where <variable> applies to a common prefix.
For example, to import only the users that start with "ABC" the following system filter should be applied to the racfuser object:
(racfid=ABC*)
To import only the groups beginning with "#1" the following system filter should be applied to the racfgroup object:
(racfid=#1*)
Data Set Profile Mapping Information
This section shows a possible mapping between a user account in RACF and the standard One Identity Manager database table called LDAPGroup (a group is the closest equivalent in One Identity Manager to a data set profile). A mapping for RACF group already exists, so a filter needs to be applied in order to tell these apart.
- When creating the data set profile mapping, add a new schema class as follows.
Table 4: Schema class settings Property
Value
Schema type LDAPGroup Display name LDAPGroup (Data set profile) Class name LDAPGroup_datasetprofile Select objects: Condition StructuralObjectClass='RACFDATASET' Select objects: Ignore case Activated - Select this new schema class, LDAPGroup (Data set profile) for this mapping to racfDataset(all) on the RACF side.
For more detailed information about setting up mappings, see the One Identity Manager Target System Synchronization Reference Guide.
Detailed information about this topic
- Mandatory RACF Data Set Profile Attributes
- Property Mapping Rules
- Object Matching Rules
- Group Mapping Information
- Sample Data Set Profile Mapping
Mandatory RACF Data Set Profile Attributes
When creating a data set profile in the RACF database, the following LDAP attributes must be defined:
- objectclass
- racfDataset
Related Topics
Property Mapping Rules
- CanonicalName ← vrtEntryCanonicalName
vrtEntryCanonicalName is a virtual property, set to the canonical name of the object in the connector.
Sample value:
COM/MYCOMPANY/MAINFRAME1/DATASET/ABCDB.*.**
- cn ←→ racfDataset
On the RACF system, this refers to the dataset profile ID.
Sample value:
ABCDB.*.**
- DistinguishedName ← vrtEntryDN
vrtEntryDN is a virtual property, set to the DN of the object in the connector.
Sample value:
racfdataset=ABCDB.*.**,profiletype=dataset,cn=mainframe1,o=mycompany,c=com
- ObjectClass ←→ objectClass
The objectClass attribute (multi-valued) on the RACF system. Activate the check box Ignore case sensitivity.
Sample value:
TOP;RACFBASECOMMON;RACFDATASET
- StructuralObjectClass ← vrtStructuralObjectClass
vrtStructuralObjectClass on the RACF system defines the single object class for the object type.
Sample value:
RACFDATASET
- VRT_UID_LDPDomain ← vrtIdentDomain
Create a fixed value property variable on the RACF side called vrtIdentDomain that is set to the value $IdentDomain$. Map this to VRT_UID_LDPDomain, the attribute created by One Identity Manager when this step was performed for a group mapping above.
Sample value:
RACF_DOMAIN
- vrtDatasetParentDN → vrtEntryParentDN
Create a fixed value property variable on the One Identity Manager side called vrtDatasetParentDN equal to a fixed string with value $DatasetLocation$. Map this to vrtEntryParentDN on the RACF side.
Sample value:
profiletype=dataset,cn=mainframe1,o=mycompany,c=com
- vrtDatasetRDN → vrtEntryRDN
Create a new variable on the One Identity Manager side of type "Script Property" with name vrtDatasetRDN and a data type of "string". In the Scripts section, enter one of the he following scripts in the "Read script" section, depending on whether your project is configured for C# or Visual Basic.
C# Script
references VI.TSUtils.dll;
return (VI.TargetSystem.Base.Utils.LDAP.RDN.Create("cn", useOldValues ? $cn[o]$ : $cn$).ToString()).Replace("cn=","racfDataset=");
VB Script
References VI.TSUtils.dll
Imports VI.TargetSystem.Base.Utils.LDAP
Dim name as String = ""
If useOldValues Then
name = $cn[o]$
Else
name = $cn$
End If
return RDN.Create("cn",name).ToString().Replace("cn=","racfDataset=")
Then map this to vrtEntryRDN on the RACF side.
Sample value:
ABCDB.*.**
- BusinessCategory ←→ uid
This is a multi-valued string that contains the RACF user IDs and the rights they have been granted for a particular data set profile. Changes to this list on the RACF side can be performed by synchronizing the necessary changes from the One Identity Manager side. BusinessCategory was chosen for the mapping as it was a pre-existing multi-valued string.
Sample value:
USER001(READ); USER002(ALTER); USER003(READ)
-
vrtDatasetMember ←→ racfPermitId
This mapping is used to synchronize data set membership information.
- Create a new virtual entry on the One Identity Manager side of type "Members of M:N schema types" with name vrtDatasetMember. Activate the check boxes to Ignore case and Enable relative component handling.
-
Add the following M:N schema types:
- Add an entry for LDAPAccountInLDAPGroup. Set the left box to UID_LDAPGroup and the right box to UID_LDAPAccount. Set the Primary Key Property to DistinguishedName.
-
Add an entry for LDAPGroupInLDAPGroup. Set the left box to UID_LDAPGroupParent and the right box to UID_LDAPGroupChild. Set the Primary Key Property to DistinguishedName.
-
Create a new mapping rule of type "Multi-reference mapping rule". Set the rule name to "Member" and the mapping direction to "Both directions". Set the One Identity Manager schema property to vrtDatasetMember and the RACF schema property to racfPermitId.
NOTE: When this membership mapping has been set up at the same time as that for groups (vrtMember <-> racfGroupUserids in the group mapping) the data set synchronization will populate both the vrtDatasetMember and vrtMember attributes with the same values. The values stored in vrtMember can be ignored.
