立即与支持人员聊天
与支持团队交流

Identity Manager 9.2 - LDAP Connector for IBM RACF Reference Guide

RACF groups and RACF universal groups

A standard RACF group keeps track of its members in an attribute called racfGroupUserIds. This imposes a limit on the number of members a group can have because there is a fixed amount of space in a group’s profile to store this information. The limit is approximately 6,000 users.

To get around this, IBM introduced universal groups. Universal group profiles do not list user members whose group authority is set to USE, and since most users have this as their group authority, the number of possible user members is increased well over the 6,000 limit.

Creating a universal group

A universal group is created in the the same way as a standard group except that the racfAttributes attribute for the group must be set to UNIVERSAL when the group is created. This must be done when the group is created; a standard group cannot be converted to a universal group after it has been created.

Group authority

When a user is connected to a group, the user’s group authority level must be specified. The default level is USE, but it is possible to set this to a different value. To do this, a virtual attribute called vrtGroupPermission must be enabled for user mappings. This is done in the RACF connection configuration wizard on the Search Options panel. Select the box next to Use vrtGroupPermission to enable this virtual attribute in user searches and mappings.

Synchronizing group members

There are a number of ways to synchronize group memberships. The method used depends on whether the group is universal group and whether the group authority level needs to be a different value from the default of USE. There are three options available, but note that only one of the three options should be used with any one group:

  • Standard group and all users have default authority

    In this case, the list of group members must be synchronized to the racfGroupUserIds group attribute. Entries to be synchronized take the form of the DN of each user member. For more information, see Sample group mapping.

  • Universal group and all users have default authority

    In this case, the group memberships must be synchronized on a per-user basis using the racfConnectGroupName user attribute. Entries to be synchronized take the form of the DN of each of the groups that the user is to be connected to.

  • Any group type and some users have non-default authority

    In this case, the group memberships must be synchronized on a per-user basis using the virtual vrtGroupPermission user attribute. The values to be synchronized must take the form:

    <group ID> (<Authority level>)

RACF pass phrase support

Password values in RACF are eight characters or fewer in length. IBM has added support for longer passwords in RACF by implementing pass phrases. These longer values need to be stored differently to passwords.

When synchronising a user’s One Identity Manager password to RACF, the length of the password determines where the password should be stored. If it is eight characters or fewer in length it must be synchronised to the racfPassword attribute. If it is longer than eight characters it must be synchronised to the racfPassPhrase attribute. This can be achieved as follows.

First, create a new variable on the One Identity Manager side of type Script Property with name vrtsIsLongPassword and a data type of Boolean – logical value. In the Read script section for this variable, enter the following script depending on the script language defined for the connector:

C# Script

if( $UserPassword$.ToString().Length < 9)

return false;

return true;

VB Script

if Len($UserPassword$)<9 Then

Return False

End If

Return True

Then set up the password mapping as follows:

  • UserPassword → racfPassPhrase

    A condition needs to be set on this rule to map the password only when there is a value to be copied and it is more than eight characters in length.

    To add a condition

    • Create the mapping.

    • Edit the property mapping rule.

    • Expand the Condition for execution section at the bottom of the dialog.

    • Click Add condition and set the following condition (a blank password is indicated by using two apostrophe characters).

      Left.UserPassword<>'' and Left.vrtsIsLongPassword='1'

  • UserPassword → racfPassword

    A condition needs to be set on this rule to map the password only when there is a value to be copied and it is eight characters or fewer in length.

    To add a condition

    • Create the mapping.

    • Edit the property mapping rule.

    • Expand the Condition for execution section at the bottom of the dialog.

    • Click Add condition and set the following condition (a blank password is indicated by using two apostrophe characters).

      Left.UserPassword<>'' and Left.vrtsIsLongPassword='0'

RACF user attributes

The following table lists the RACF user attributes that are made available to One Identity Manager by the RACF LDAP connector.

Table 5: List of RACF user attributes

Attribute name

racfAttributes

racfAuthorizationDate

racfClassName

racfConnectGroupAuthority

racfConnectGroupName

racfConnectGroupUACC

racfDatasetModel

racfDefaultGroup

racfHavePassPhraseEnvelope

racfHavePasswordEnvelope

racfid

racfInstallationData

racfLastAccess

racfLogonDays

racfLogonTime

racfOwner

racfPassPhrase

racfPassPhraseChangeDate

racfPassPhraseEnvelope

racfPassword

racfPasswordChangeDate

racfPasswordEnvelope

racfPasswordInterval

racfProgrammerName

racfResumeDate

racfRevokeDate

racfSecurityLabel

racfSecurityLevel

RACF group attributes

The following table lists the RACF group attributes that are made available to One Identity Manager by the RACF LDAP connector.

Table 6: List of RACF group attributes

Attribute name

racfAuthorizationDate

racfDatasetModel

racfGroupNoTermUAC

racfGroupUniversal

racfGroupUserids

racfid

racfInstallationData

racfOwner

racfSubGroupName

racfSuperiorGroup

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级