Chat now with support
Chat with Support

Identity Manager 9.2 - LDAP Connector for IBM RACF Reference Guide

System filtering on users and groups

The IBM Tivoli Directory Server does not support standard LDAP filtering but a limited level of functionality is supported. The only attribute that can be filtered is racfid, which can apply to both user and group names. This means it is possible to filter by the names of both users and groups.

This is done by applying a system filter to either the racfuser or racfgroup objects of the form (racfid=<variable>*) where <variable> applies to a common prefix.

For example, to import only users that start with ABC, the following system filter should be applied to the racfuser object:

(racfid=ABC*)

To import only groups beginning with #1, the following system filter should be applied to the racfgroup object:

(racfid=#1*)

Data set profile mapping information

This section shows a possible mapping between a user account in RACF and the standard One Identity Manager database table called LDAPGroup (a group is the closest equivalent in One Identity Manager to a data set profile). A mapping for RACF group already exists, so a filter needs to be applied in order to tell these apart.

  • When creating the data set profile mapping, add a new schema class as follows.

    Table 4: Schema class settings

    Property

    Value

    Schema type

    LDAPGroup

    Display name

    LDAPGroup (Data set profile)

    Class name

    LDAPGroup_datasetprofile

    Select objects: Condition

    StructuralObjectClass='RACFDATASET'

    Select objects: Ignore case

    Activated

  • Select this new schema class, LDAPGroup (Data set profile) for this mapping to racfDataset(all) on the RACF side.

For more detailed information about setting up mappings, see the One Identity Manager Target System Synchronization Reference Guide.

Detailed information about this topic

Mandatory RACF data set profile attributes

When creating a data set profile in the RACF database, the following LDAP attributes must be defined:

  • objectclass

  • racfDataset

Related topics

Property mapping rules

  • CanonicalName ← vrtEntryCanonicalName

    vrtEntryCanonicalName is a virtual property, set to the canonical name of the object in the connector.

    Sample value:

    COM/MYCOMPANY/MAINFRAME1/DATASET/ABCDB.*.**

  • cn ←→ racfDataset

    On the RACF system, this refers to the dataset profile ID.

    Sample value:

    ABCDB.*.**

  • DistinguishedName ← vrtEntryDN

    vrtEntryDN is a virtual property, set to the DN of the object in the connector.

    Sample value:

    racfdataset=ABCDB.*.**,profiletype=dataset,cn=mainframe1,o=mycompany,c=com

  • ObjectClass ←→ objectClass

    The objectClass attribute (multi-valued) on the RACF system. Select the Ignore case sensitivity check box.

    Sample value:

    TOP;RACFBASECOMMON;RACFDATASET

  • StructuralObjectClass ← vrtStructuralObjectClass

    vrtStructuralObjectClass on the RACF system defines the single object class for the object type.

    Sample value:

    RACFDATASET

  • VRT_UID_LDPDomain ← vrtIdentDomain

    Create a fixed value property variable on the RACF side called vrtIdentDomain that is set to the value $IdentDomain$. Map this to VRT_UID_LDPDomain, the attribute created by One Identity Manager when this step was performed for a group mapping above.

    Sample value:

    RACF_DOMAIN

  • vrtDatasetParentDN → vrtEntryParentDN

    Create a fixed value property variable on the One Identity Manager side called vrtDatasetParentDN equal to a fixed string with value $DatasetLocation$. Map this to vrtEntryParentDN on the RACF side.

    Sample value:

    profiletype=dataset,cn=mainframe1,o=mycompany,c=com

  • vrtDatasetRDN → vrtEntryRDN

    Create a new variable on the One Identity Manager side of type Script Property with the name vrtDatasetRDN and a data type of String. In the Scripts section, enter one of the following scripts in the Read script section, depending whether your project is configured for C# or Visual Basic.

    C# Script

    references VI.TSUtils.dll;

    return (VI.TargetSystem.Base.Utils.LDAP.RDN.Create("cn", useOldValues ? $cn[o]$ : $cn$).ToString()).Replace("cn=","racfDataset=");

    VB Script

    References VI.TSUtils.dll

    Imports VI.TargetSystem.Base.Utils.LDAP

    Dim name as String = ""

    If useOldValues Then

    name = $cn[o]$

    Else

    name = $cn$

    End If

    return RDN.Create("cn",name).ToString().Replace("cn=","racfDataset=")

    Then map this to vrtEntryRDN on the RACF side.

    Sample value:

    ABCDB.*.**

  • BusinessCategory ←→ uid

    This is a multi-valued string that contains the RACF user IDs and the rights they are granted for a particular data set profile. Changes to this list on the RACF side can be performed by synchronizing the necessary changes from the One Identity Manager side. BusinessCategory was chosen for the mapping as it was a pre-existing multi-valued string.

    Sample value:

    USER001(READ); USER002(ALTER); USER003(READ)

  • vrtDatasetMember ←→ racfPermitId

    This mapping is used to synchronize data set membership information.

    1. Create a new virtual entry on the One Identity Manager side of type Members of M:N schema types with the name vrtDatasetMember. Select the Ignore case and Enable relative component handling check boxes.

    2. Add the following M:N schema types:

      1. Add an entry for LDAPAccountInLDAPGroup. Set the left box to UID_LDAPGroup and the right box to UID_LDAPAccount. Set the Primary Key Property to DistinguishedName.

      2. Add an entry for LDAPGroupInLDAPGroup. Set the left box to UID_LDAPGroupParent and the right box to UID_LDAPGroupChild. Set the Primary Key Property to DistinguishedName.

    3. Create a new mapping rule of type Multi-reference mapping rule. Set the rule name to Member and the mapping direction to Both directions. Set the One Identity Manager schema property to vrtDatasetMember and the RACF schema property to racfPermitId.

      NOTE: When this membership mapping is set up at the same time as a mapping for groups (vrtMember <-> racfGroupUserids in the group mapping), the data set synchronization populates both the vrtDatasetMember and vrtMember attributes with the same values. The values stored in vrtMember can be ignored.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating