Showing results for 
Show  only  | Search instead for 
Did you mean: 

Rules/Groups Interception for CA-ACF2

Rules/Groups Interception for CA-ACF2



Logical grouping of IDs, that is, groups, do not exist in CA-ACF2 as independent entities as in other security products. In CA-ACF2, groups are implemented by using the UID (User Identification) string.

The UID string is a set of user-defined Logonid fields that are concatenated together in sequence. The UID string is used for access evaluation during rule interpretation. The maximum length of the UID is 24 characters.

The LID (Logon Identifier) is the 1 to 8 character identifier of a user or task. The LID usually resides in the UID (but not always) and usually is the last field of the UID.


Rules and UID

When defining CA-ACF2 rules (permissions), the UID is used to describe the relevant users who are granted access with this rule. The Rule's UID refers to multiple users - all users whose UID matches the rule's UID.


CA-ACF2 Connector Implementation


The CA-ACF2 Connector automatically defines the site's groups based on the CA-ACF2 rules UIDs. Any Rule's UID which potentially refers to a group of users, is defined in the CA-ACF2 Connector's internal Group Database (GDB) as a group. This is done each time Group Aggregation is done.

  • At the end of Group Aggregation, all CA-ACF2 Rule's UID which potentially refer to a group of users would be set in IdentityIQ / IdentityNow  Database as Entitlement Catalog's groups.
  • At the end of Account Aggregation, all CA-ACF2 users whose UID matches an CA-ACF2 Rule's UID, would be connected to these Entitlement Catalog groups in IdentityIQ / IdentityNow (members/groups).

If targetAggregation is done, each CA-ACF2 rule's permission is assigned to the relevant group or relevant account in IdentityIQ.




  • The fix, implemented by FSD0056 and FSD0057​ (Refresh GDB at start of Group Aggregation) if activated by the user, implements the above CA-ACF2 Connector Implementation.
  • This fix, implemented by FSD0072 and FSD0073​, goes beyond the above fix by intercepting through Online or Offline Interception, all access and resource rule additions and changes, and analyzing the rules to determine which are new Groups.
    All new Group entities,that is, UIDs, in the rule, are added dynamically to the Group database file and the UIDMASK is defined as a Group in IdentityIQ. These groups appear in IdentityIQ as Groups in the Entitlement Catalog. In addition, all connections between users,that is, LIDs, and the new Group(s) are sent to IdentityIQ so that IdentityIQ is fully updated with the new Group(s) and their members.
    Note: Groups which are deleted from the new / changed access or resource rule are not deleted from the Group database file or from IdentityIQ.
    This requires full Group Aggregation.
    This feature is activated by adding the following line to the RSSPARM member in PARM library:

    <RSS_name>  REFRESH_GDB    Y
        The default value of REFRESH_GDB is set to N. Hence, by default this feature would not be activated.


Note the following:

    • This fix (FSD0072 and FSD0073​) adds DD statements SYSPROC, EXECOUT, (and SYSPRINT) to PROCLIB members ACFAONI, ACFAOFI, and ACFAOFS.
    • For connections between users and groups to be updated properly, ensure that Group Aggregation is done before Account Aggregation.
Labels (3)
Version history
Revision #:
3 of 3
Last update:
‎Nov 29, 2023 01:38 PM
Updated by: