How to Manage RACF CSDATA attributes in IM
search cancel

How to Manage RACF CSDATA attributes in IM

book

Article ID: 275795

calendar_today

Updated On:

Products

CA Identity Suite CA Identity Manager

Issue/Introduction

According to the following documentation, this is supported by the "System z Security Communication Server" used by the Identity Manager RACF connector:

LDAP Server Support for CSDATA (broadcom.com)

It is also possible to launch the native RACF command through such LDAP interface:

Native RACF command: ALTUSER <UXXXX> CSDATA(<attribute name>(<value>))

How to obtain the same result of the native RACF command, using IM?

Resolution

We can manage CSDATA attributes in RACF V1 connector and in RACF V2 connector.

For RACF v2

Please see the section "Support for IBM Multi-Factor Authentication (MFA), NETVIEW and CSDATA segments of a user profile on z/OS systems." from below techdoc:
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-management-and-governance-connectors/1-0/connectors/ibm-connectors/ibm-racf/audience-file-location-for-the-racf-connector/feature-comparison-of-racf-and-racf-v2-connectors.html

 

From below techdoc, RACF v2 connector was enhanced to support IBM Multi-Factor Authentication (MFA), NETVIEW, and CSDATA segments of a user profile on z/OS systems
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-management-and-governance-connectors/1-0/connectors/ibm-connectors/ibm-racf.html

 

RACF v1 also supports CSDATA attributes (reagardless of the PTF being in place)

Please follow the documentation: https://ftpdocs.broadcom.com/cadocs/0/CA%20Identity%20Manager%20r12%205%20SP15-ENU/Bookshelf_Files/PDF/im_connectors_enu.pdf

Connector Guides > Connector Guide > Connecting to Endpoints > RACF Connector > Connector-Specific Features > Extend the Schema to Include Customer Attributes

Additional Information

The following document should be used as reference -  LDAP Server Support for CSDATA and the configuration syntax expected in slapd.conf

https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-system-z-security-communication-servers-dsi-ldap-pam/15-1/configuring/configure-the-ca-ldap-server/configure-the-racf-utf-backend/racf-configuration-options/ca-ldap-server-support-for-csdata.html

Attributes need to be defined in slapd.conf – it should look similar to

 

##############################################################

# racf_utf database specific definition

# This definition is not for Identity Manager or Web Admin

###############################################################

database             racf_utf

suffix               "host=<hostname>,o=<org name>,c=<country>" 

#keyword        RACF            LDAP                type    max_len     display

user-csdata     <att name>    <att name>        char    15

 

* max_len should be according to the custom attribute definition in the schema – the example below uses 15 for no specific reason.

 

 

Powered by Wolken Software