Logical grouping of IDs, that is, groups, do not exist in CA-ACF2 as independent entities as in other security products. In CA-ACF2, groups are implemented by using the UID (User Identification) string.
The UID string is a set of user-defined Logonid fields that are concatenated together in sequence. The UID string is used for access evaluation during rule interpretation. The maximum length of the UID is 24 characters.
The LID (Logon Identifier) is the 1 to 8 character identifier of a user or task. The LID usually resides in the UID (but not always) and usually is the last field of the UID.
When defining CA-ACF2 rules (permissions), the UID is used to describe the relevant users who are granted access with this rule. The Rule's UID refers to multiple users - all users whose UID matches the rule's UID.
The CA-ACF2 Connector automatically defines the site's groups based on the CA-ACF2 rules UIDs. Any Rule's UID which potentially refers to a group of users, is defined in the CA-ACF2 Connector's internal Group Database (GDB) as a group. This is done each time Group Aggregation is done.
If targetAggregation is done, each CA-ACF2 rule's permission is assigned to the relevant group or relevant account in IdentityIQ.
This fix, implemented by FSD0072 and FSD0073, goes beyond the above fix by intercepting through Online or Offline Interception, all access and resource rule additions and changes, and analyzing the rules to determine which are new Groups.
All new Group entities,that is, UIDs, in the rule, are added dynamically to the Group database file and the UIDMASK is defined as a Group in IdentityIQ. These groups appear in IdentityIQ as Groups in the Entitlement Catalog. In addition, all connections between users,that is, LIDs, and the new Group(s) are sent to IdentityIQ so that IdentityIQ is fully updated with the new Group(s) and their members.
Note: Groups which are deleted from the new / changed access or resource rule are not deleted from the Group database file or from IdentityIQ.
This requires full Group Aggregation.
This feature is activated by adding the following line to the RSSPARM member in PARM library:
<RSS_name> REFRESH_GDB Y
The default value of REFRESH_GDB is set to N. Hence, by default this feature would not be activated.
Note the following: