Chat now with support
Chat with Support

Identity Manager 8.0 - LDAP Connector for IBM RACF Reference Guide

RACF Groups and RACF Universal Groups

A standard RACF group keeps track of its members in an attribute called racfGroupUserIds. This imposes a limit on the number of members a group can have because there is a fixed amount of space in a group’s profile to store this information. The limit is approximately 6,000 users.

To get around this, IBM introduced universal groups. Universal group profiles do not list user members whose group authority is set to USE and since most users will have this as their group authority, the number of possible user members is increased well over the 6,000 limit.

Creating a Universal Group

A universal group is created the same as standard group except that the racfAttributes attribute for the group must be set to UNIVERSAL when the group is created. This must be done when the group is created; a standard group cannot be converted to a universal group after it has been created.

Group Authority

When a user is connected to a group, the user’s group authority level needs to be specified. The default level is USE but it is possible to set this to a different value. In order to do this, a virtual attribute called vrtGroupPermission needs to be enabled for user mappings. This is done in the RACF connection configuration wizard on the "Search Options" panel. Check the box next to Use vrtGroupPermission to enable this virtual attribute in user searches and mappings.

Synchronizing Group Members

There are a number of ways to synchronize group memberships. The method used will depend on whether the group is a universal group and whether the group authority level needs to be a value different from the default of USE. There are three options available; but note that only one of the three options should be used with any one group:

  • Standard Group and all Users have Default Authority

    In this case, the list of group members should be synchronized to the group attribute racfGroupUserIds. Entries to be synchronized take the form of the DN of each user member. For more information, see Sample Group Mapping.

  • Universal Group and all Users have Default Authority

    In this case, the group memberships need to be synchronized on a per-user basis using the user attribute racfConnectGroupName. Entries to be synchronized take the form of the DN of each of the groups that the user is to be connected to.

  • Any Group Type and some Users have non-Default Authority

    In this case, the group memberships need to be synchronized on a per-user basis using the virtual user attribute vrtGroupPermission. The values to be synchronized must take the form

    <group ID> (<Authority level>)

Appendix: RACF User Attributes

The following table lists the RACF user attributes that are made available to One Identity Manager by the RACF LDAP Connector.

Table 5: List of RACF User Attributes

Attribute Name

racfAttributes
racfAuthorizationDate
racfClassName
racfConnectGroupAuthority
racfConnectGroupName
racfConnectGroupUACC
racfDatasetModel
racfDefaultGroup
racfHavePassPhraseEnvelope
racfHavePasswordEnvelope
racfid
racfInstallationData
racfLastAccess
racfLogonDays
racfLogonTime
racfOwner
racfPassPhrase
racfPassPhraseChangeDate
racfPassPhraseEnvelope
racfPassword
racfPasswordChangeDate
racfPasswordEnvelope
racfPasswordInterval
racfProgrammerName
racfResumeDate
racfRevokeDate
racfSecurityLabel
racfSecurityLevel

Appendix: RACF Group Attributes

The following table lists the RACF group attributes that are made available to One Identity Manager by the RACF LDAP Connector.

Table 6: List of RACF Group Attributes

Attribute Name

racfAuthorizationDate

racfDatasetModel

racfGroupNoTermUAC

racfGroupUniversal

racfGroupUserids

racfid

racfInstallationData

racfOwner

racfSubGroupName

racfSuperiorGroup

 

 

Appendix: RACF Data Set Profile Attributes

If the Quest RACF TDS Exit has been installed and enabled, the following RACF data set profile attributes will be made available to One Identity Manager by the RACF LDAP Connector.

Table 7: List of RACF Data Set Profile Attributes
Attribute Name
racfAccess
racfAudit
racfCreateGroup
racfDataset
racfErase
racfGlobalAudit
racfNotify
racfOwner
racfPermitid
racfUacc
racfWarning
uid
Related Documents