Manage Direct and Indirect Permissions with Mainframe Connector for CA-ACF2

Manage Direct and Indirect Permissions with Mainframe Connector for CA-ACF2

Mainframe Connector for CA-ACF2 now supports managing permissions for accounts and groups when configured with IdentityIQ and/or IdentityNow. 

 

Supported Features

  • Accounts
    • Aggregates direct and indirect permissions
    • Direct permissions are modeled as entitlements and can be re-mediated. 
  • Groups
    • Aggregates direct permissions

All permissions are taken from CA-ACF2 rules.

  • Direct permissions are permissions which are defined for a specific account. When the LID within the UIDMASK is fully specified, it is a direct permission. (Assuming LID in UID is 8 characters field, it refers to permissions with 8 characters LID in UID). When the LID is shorter than the LID field length in UID and a space/blank appears as a suffix of the LID, it is a direct permission.
  • Indirect permissions are all permissions which are not direct permissions.

Prerequisite

  • Mainframe Connector for CA-ACF2 version 4.0.02 must be installed along with all PTF's until FSD0134
           For more information, see Mainframe E-Fixes.
  • Connector Gateway (CG) must be upgraded to ConnectorGateway-Jan-2020
  • (IdentityIQ) IdentityIQ 8.1 and onwards
  • (IdentityNow) Latest Cloud Connector Gateway (CCG) on all Virtual Appliances (VAs)

 

Configurations for IdentityNow

  1. Add splAceAttributes attribute in source by using Update Source (Partial)  REST API.
    To add the splAceAttributes using REST API, the key would be splAceAttributes and value would be the following JSON object:
    [
      {
        "op": "replace",
        "path": "/connectorAttributes/splAceAttributes",
        "value": {
                "ALLOC": "false",
                "ACTIVE": "false",
                "LIB": "false",
                "FOR": "false",
                "VERIFY": "false",
                "RECCHECK": "false",
                "UNTIL": "false",
                "DDN": "false",
                "NEXTKEY": "false",
                "WRITE": "false",
                "READ": "false",
                "EXEC": "false",
                "SHIFT": "false",
                "UID": "false",
                "VOL": "false",
                "DATA": "false",
                "PGM": "false",
                "SOURCE": "false",
                "SERVICE": "true",
                "ACCESS": "false",
                "RESMASK": "false"
            }
      }
    ]

    For example, 
    PATCH https://example.api.identitynow.com/beta/sources/2c9180835d191a86015d28455b4a2329

    Authorization: Bearer token
    Content-Type: application/json-patch+json
    [
      {
        "op": "replace",
        "path": "/connectorAttributes/splAceAttributes",
        "value": {
                "ALLOC": "false",
                "ACTIVE": "false",
                "LIB": "false",
                "FOR": "false",
                "VERIFY": "false",
                "RECCHECK": "false",
                "UNTIL": "false",
                "DDN": "false",
                "NEXTKEY": "false",
                "WRITE": "false",
                "READ": "false",
                "EXEC": "false",
                "SHIFT": "false",
                "UID": "false",
                "VOL": "false",
                "DATA": "false",
                "PGM": "false",
                "SOURCE": "false",
                "SERVICE": "true",
                "ACCESS": "false",
                "RESMASK": "false"
            }
      }
    ]

  2. Add the following attributes in account schema of ACF2 source
    • AccountDirectPermissions (string, entitlement and multi valued)
    • AccountIndirectPermissions (string, multi valued)
  3. Contact SailPoint Customer Support to add the following attribute to group schema of ACF2 source:
    • GroupDirectPermissions (string, multi valued)

For more information on IdentityNow REST API, refer the following documents:

 

Configurations for IdentityIQ

To enable the functionality to manage permissions for ACF2 application, perform the following steps:

  1. Add the following attributes in account schema of ACF2-Full application:
    • AccountDirectPermissions (string, entitlement and multi valued)
    • AccountIndirectPermissions (string, multi valued)
  2. Add the following attribute to the group schema of ACF2-Full application:
    • GroupDirectPermissions (string, multi valued)
  3. Add following attribute to the group update provisioning policy of ACF2-Full application:
    <Field multi=“true” name=“GroupDirectPermissions” type=“string”>
       <Attributes>
        <Map>
          <entry key=“readOnly” value=“true”/>
        </Map>
      </Attributes>
    </Field>

  4. Perform Group Aggregation before performing the Account Aggregation.

 

Configurations for Mainframe Connector for CA-ACF2

Set REFRESH_GDB parameter of RSSPARM to Y.

 

New Messages Introduced

Following are the new messages introduced by this fix:

1 - CTS3890E: Adding a group not supported when REFRESH_GDB is set to Y

When REFRESH_GDB is set to Y in RSSPARM, the groups are defined based on CA-ACF2 rules. In this case, there is no need to add or define new groups manually.

System Action: The Add Group request is denied.

User Response: Do not try to add new groups manually from IdentityNow.

 

2 - CTS3891I: No permission found for user <userid>

This is an informative message that this account does not have any permissions in CA-ACF2 rules.

System Action: Processing continues.

User Response: CA-ACF2 administrator must verify if this account is required or must be deleted.

 

3 - CTS3892E: Failed to retrieve permissions for LID <userid>

Permissions will not be returned for the user (for Sync User request) or all users (for Account Aggregation). The reason can be found in accompanying messages in STDMSG, SYSPRINT of JOBLOG.

System Action: Processing continues.

User Response: Check the accompanying messages in STDMSG, SYSPRINT of JOBLOG and perform accordingly.

 

4 - CTS3893W: <type> permissions area for user <userid> full

Several permissions ignored. There is not enough space in the permissions area for all the permissions of the userid. <type> is the permission type: Direct / Indirect.

System Action: Not all permissions for this userid are returned. Processing continues.

User Response: None

 

Tags (1)
Version history
Revision #:
5 of 5
Last update:
‎Sep 09, 2021 11:32 AM
Updated by: