Chat now with support
Chat with Support

Identity Manager 8.0 - LDAP Connector for IBM RACF Reference Guide

Object Matching Rules

  • DistinguishedName (primary rule) vrtEntryDN

    vrtEntryDN is a virtual property, set to the DN of the object in the connector. This forms a unique ID to distinguish individual dataset objects on the RACF system.

    To convert this mapping into an object matching rule

    1. Select the property mapping rule in the rule window.
    2. Click in the rule view toolbar.

      A message appears.

    3. Click Yes to convert the property mapping rule into an object matching rule and save a copy of the property mapping rule.

    Sample value:

    racfdataset=ABCDB.*.**,profileType=dataset,cn=mainframe1,o=mycompany,c=com

Related Topics

Sample Data Set Profile Mapping

The following figure shows the above data set profile mapping in operation.

TSO Command Execution

The RACF LDAP Connector can be used to execute any TSO command on the connected system if the Quest RACF TDS Exit has been installed and configured. This TSO command execution needs to be configured manually for the connector made available with One Identity Manager.

Create a custom defined process using the process component "MFRComponent". Use the server function "RACF LDAP connector" to specify the execution server. The One Identity Manager Service is installed on this server with the RACF LDAP connector.

For more detailed information about configuring the server and creating processes, see the One Identity Manager Configuration Guide.

Auxiliary Classes

The RACF user and group objects have a number of auxiliary classes available to add extra attributes. There are 12 of these auxiliary classes in total.

Auxiliary classes that can extend the RACF user object:

  • SAFTSOSegment
  • SAFDfpSegment
  • racfCicsSegment
  • racfLanguageSegment
  • racfOperparmSegment
  • racfWorkAttrSegment
  • racfUserOmvsSegment
  • racfUserOvmSegment
  • racfNetviewSegment
  • racfDCESegment

Auxiliary classes that can extend the RACF group object:

  • racfGroupOmvsSegment
  • racfGroupOvmSegment
  • SAFDfpSegment

The list of the additional attributes that each of these makes available is given in Appendix: Auxiliary Classes.

When the RACF user or group object is viewed in the Synchronization Editor, all of the attributes made available by all of the above auxiliary classes are listed by default and can be used in user or group mappings. In order to make use of the additional attributes during a synchronization to RACF, the user or group object must contain the corresponding object class for each additional attribute, otherwise the attribute will be discarded. The object class attribute for a user is multi-valued and must contain the full list of all object classes needed for the user.

For example, the auxiliary class racfUserOvmSegment contains an attribute called racfOvmUid.

To successfully synchronize a value to this attribute for a user, the user object must contain the value racfUserOvmSegment in its object class attribute.

Related Documents