Automatic Groups Definition for CA-ACF2

Automatic Groups Definition for CA-ACF2


Logical grouping of IDs, that is, groups, do not exist in CA-ACF2 as independent entities as in other security products. In CA-ACF2, groups are implemented by using the UID (User Identification) string.

The UID string is a set of user-defined Logonid fields that are concatenated together in sequence. The UID string is used for access evaluation during rule interpretation. The maximum length of the UID is 24 characters.

The LID (Logon Identifier) is the 1 to 8 character identifier of a user or task. The LID usually resides in the UID (but not always) and usually is the last field of the UID.

Rules and UID

When defining CA-ACF2 rules (permissions), the UID is used to describe the relevant users who are granted access with this rule. The rule's UID refers to multiple users - all users whose UID matches the rule's UID.

CA-ACF2 Connector Implementation

The CA-ACF2 Connector automatically defines the site's groups based on the CA-ACF2 rules UIDs. Any Rule's UID which potentially refers to a group of users, is defined in the CA-ACF2 Connector's internal Group Database (GDB) as a group. This is done each time Group Aggregation is done.

  • At the end of Group Aggregation, all CA-ACF2 Rule's UID which potentially refer to a group of users would be set in IdentityIQ / IdentityNow  Database as Entitlement Catalog's groups.
  • At the end of Account Aggregation, all CA-ACF2 users whose UID matches an CA-ACF2 Rule's UID, would be connected to these Entitlement Catalog groups in IdentityIQ / IdentityNow (members/groups).

If targetAggregation is done, each CA-ACF2 rule's permission is assigned to the relevant group or relevant account in IdentityIQ.


This fix, implemented by FSD0056 and FSD0057, if activated by the user, implements the above CA-ACF2 Connector Implementation.

This fix:

  • defines all CA-ACF2 Rule's UIDs which potentially refer to groups of users, as Groups in the CA-ACF2 Connector when Group Aggregation begins. The group information would be extracted from the site's CA-ACF2 access and resource rules. These groups would be sent to IdentityIQ / IdentityNow as Entitlement Catalogs' Groups.
  • implementation includes examining each UID to decide whether this UID represents a specific user or a group of users, based on the CA-ACF2 UID masking definition. When a UID which represents a group of users is encountered, this UIDMASK is defined as a Group in IdentityIQ.
    This feature is activated by adding the following line to the RSSPARM member in PARM library:
    <RSS_name>  REFRESH_GDB    Y
    The default value of REFRESH_GDB is set to N. Hence, by default this feature would not be activated.

Note: Group Aggregation must be done before Account Aggregation.

Labels (3)
Version history
Revision #:
1 of 1
Last update:
‎Jul 22, 2018 08:30 AM
Updated by: