Scoping the CA Identity Manager Provisioning TSS Connector to a Specific Zone
Article ID: 434111
Updated On:
Products
Issue/Introduction
Administrators may need to restrict the CA Identity Manager (IDM) Provisioning TSS connector so that it can only manage ACIDs within a specific Top Secret Zone. By default, if the connector’s login ACID is a Central Administrator (SCA), it has visibility and authority over the entire security file.
Environment
- CA Identity Manager Provisioning Server
- CA LDAP Server for z/OS
- CA Top Secret for z/OS
Cause
The administrative scope of an Identity Manager connector is determined by the native authority of the mainframe ACID assigned to the Endpoint configuration. To restrict the connector, the authority level must be changed from a global administrator to a scoped administrator.
Resolution
To scope the connector to a specific zone, the connector’s login ACID must be modified to a Zone Control Administrator (ZCA). A ZCA is natively restricted by Top Secret to managing only those ACIDs within its assigned zone ACID NOT OWNED WITHIN SCOPE.
Follow these steps on the mainframe:
Identify the Connector ACID: Locate the ACID used by the Identity Manager TSS Endpoint to bind to the CA LDAP Server.
Change the ACID Type and Assign the Zone: Execute the following TSS command to move the ACID to the target zone and set its type to ZCA:
bash
TSS MOVE(connector_acid) TYPE(ZCA) ZONE(target_zone)Verify Authority: Ensure the ZCA has the necessary administrative authorities (e.g.,
ACID(CREATE,DELETE,DATA),RESOURCE(INFO,REPORT)) within that zone.
Once the ACID is moved, the CA LDAP Server—which acts as the gateway for the IDM connector—will strictly enforce the zone boundary. Any attempt by Identity Manager to “Explore” or modify an ACID outside of the designated zone will be blocked by the mainframe with the following error: TSS0352E ACID NOT OWNED WITHIN SCOPE ACID NOT OWNED WITHIN SCOPE
Feedback
