A standard RACF group keeps track of its members in an attribute called racfGroupUserIds. This imposes a limit on the number of members a group can have because there is a fixed amount of space in a group’s profile to store this information. The limit is approximately 6,000 users.
To get around this, IBM introduced universal groups. Universal group profiles do not list user members whose group authority is set to USE and since most users will have this as their group authority, the number of possible user members is increased well over the 6,000 limit.
A universal group is created the same as standard group except that the racfAttributes attribute for the group must be set to UNIVERSAL when the group is created. This must be done when the group is created; a standard group cannot be converted to a universal group after it has been created.
When a user is connected to a group, the user’s group authority level needs to be specified. The default level is USE but it is possible to set this to a different value. In order to do this, a virtual attribute called vrtGroupPermission needs to be enabled for user mappings. This is done in the RACF connection configuration wizard on the "Search Options" panel. Check the box next to Use vrtGroupPermission to enable this virtual attribute in user searches and mappings.
There are a number of ways to synchronize group memberships. The method used will depend on whether the group is a universal group and whether the group authority level needs to be a value different from the default of USE. There are three options available; but note that only one of the three options should be used with any one group:
In this case, the list of group members should be synchronized to the group attribute racfGroupUserIds. Entries to be synchronized take the form of the DN of each user member. For more information, see Sample Group Mapping.
In this case, the group memberships need to be synchronized on a per-user basis using the user attribute racfConnectGroupName. Entries to be synchronized take the form of the DN of each of the groups that the user is to be connected to.
In this case, the group memberships need to be synchronized on a per-user basis using the virtual user attribute vrtGroupPermission. The values to be synchronized must take the form
<group ID> (<Authority level>)
The following table lists the RACF user attributes that are made available to One Identity Manager by the RACF LDAP Connector.
The following table lists the RACF group attributes that are made available to One Identity Manager by the RACF LDAP Connector.
If the Quest RACF TDS Exit has been installed and enabled, the following RACF data set profile attributes will be made available to One Identity Manager by the RACF LDAP Connector.