Manage Direct and Indirect Permissions with Mainframe Connector for CA-ACF2

Mainframe Connector for CA-ACF2 now supports managing permissions for accounts and groups when configured with IdentityIQ and/or IdentityNow.

Supported Features
Prerequisite
Configurations for IdentityNow
Configurations for IdentityIQ
Configurations for Mainframe Connector for CA-ACF2
New Messages Introduced

Supported Features

Accounts

Aggregates direct and indirect permissions
Direct permissions are modeled as entitlements and can be re-mediated.

Groups
- Aggregates direct permissions

All permissions are taken from CA-ACF2 rules.

Direct permissions are permissions which are defined for a specific account. When the LID within the UIDMASK is fully specified, it is a direct permission. (Assuming LID in UID is 8 characters field, it refers to permissions with 8 characters LID in UID). When the LID is shorter than the LID field length in UID and a space/blank appears as a suffix of the LID, it is a direct permission.
Indirect permissions are all permissions which are not direct permissions.

Prerequisite

Mainframe Connector for CA-ACF2 version 4.0.02 must be installed along with all PTF's until FSD0134
For more information, see Mainframe E-Fixes.
Connector Gateway (CG) must be upgraded to ConnectorGateway-Jan-2020
(IdentityIQ) IdentityIQ 8.1 and onwards
(IdentityNow) Latest Cloud Connector Gateway (CCG) on all Virtual Appliances (VAs)

Configurations for IdentityNow

Add splAceAttributes attribute in source by using Update Source (Partial) REST API.
To add the splAceAttributes using REST API, the key would be splAceAttributes and value would be the following JSON object:
[
{
"op": "replace",
"path": "/connectorAttributes/splAceAttributes",
"value": {
"ALLOC": "false",
"ACTIVE": "false",
"LIB": "false",
"FOR": "false",
"VERIFY": "false",
"RECCHECK": "false",
"UNTIL": "false",
"DDN": "false",
"NEXTKEY": "false",
"WRITE": "false",
"READ": "false",
"EXEC": "false",
"SHIFT": "false",
"UID": "false",
"VOL": "false",
"DATA": "false",
"PGM": "false",
"SOURCE": "false",
"SERVICE": "true",
"ACCESS": "false",
"RESMASK": "false"
}
}
]

For example,
PATCH https://example.api.identitynow.com/beta/sources/2c9180835d191a86015d28455b4a2329
Authorization: Bearer token
Content-Type: application/json-patch+json
[
{
"op": "replace",
"path": "/connectorAttributes/splAceAttributes",
"value": {
"ALLOC": "false",
"ACTIVE": "false",
"LIB": "false",
"FOR": "false",
"VERIFY": "false",
"RECCHECK": "false",
"UNTIL": "false",
"DDN": "false",
"NEXTKEY": "false",
"WRITE": "false",
"READ": "false",
"EXEC": "false",
"SHIFT": "false",
"UID": "false",
"VOL": "false",
"DATA": "false",
"PGM": "false",
"SOURCE": "false",
"SERVICE": "true",
"ACCESS": "false",
"RESMASK": "false"
}
}
]
Add the following attributes in account schema of ACF2 source
- AccountDirectPermissions (string, entitlement and multi valued)
- AccountIndirectPermissions (string, multi valued)
Contact SailPoint Customer Support to add the following attribute to group schema of ACF2 source:
- GroupDirectPermissions (string, multi valued)

For more information on IdentityNow REST API, refer the following documents:

Configurations for IdentityIQ

To enable the functionality to manage permissions for ACF2 application, perform the following steps:

Add the following attributes in account schema of ACF2-Full application:
- AccountDirectPermissions (string, entitlement and multi valued)
- AccountIndirectPermissions (string, multi valued)
Add the following attribute to the group schema of ACF2-Full application:
- GroupDirectPermissions (string, multi valued)
Add following attribute to the group update provisioning policy of ACF2-Full application:
<Field multi=“true” name=“GroupDirectPermissions” type=“string”>
<Attributes>
<Map>
<entry key=“readOnly” value=“true”/>
</Map>
</Attributes>
</Field>
Perform Group Aggregation before performing the Account Aggregation.

Configurations for Mainframe Connector for CA-ACF2

Set REFRESH_GDB parameter of RSSPARM to Y.

New Messages Introduced

Following are the new messages introduced by this fix:

1 - CTS3890E: Adding a group not supported when REFRESH_GDB is set to Y

When REFRESH_GDB is set to Y in RSSPARM, the groups are defined based on CA-ACF2 rules. In this case, there is no need to add or define new groups manually.

System Action: The Add Group request is denied.

User Response: Do not try to add new groups manually from IdentityNow.

2 - CTS3891I: No permission found for user <userid>

This is an informative message that this account does not have any permissions in CA-ACF2 rules.

System Action: Processing continues.

User Response: CA-ACF2 administrator must verify if this account is required or must be deleted.

3 - CTS3892E: Failed to retrieve permissions for LID <userid>

Permissions will not be returned for the user (for Sync User request) or all users (for Account Aggregation). The reason can be found in accompanying messages in STDMSG, SYSPRINT of JOBLOG.

System Action: Processing continues.

User Response: Check the accompanying messages in STDMSG, SYSPRINT of JOBLOG and perform accordingly.

4 - CTS3893W: <type> permissions area for user <userid> full

Several permissions ignored. There is not enough space in the permissions area for all the permissions of the userid. <type> is the permission type: Direct / Indirect.

System Action: Not all permissions for this userid are returned. Processing continues.

User Response: None