Overview

An adapter is an interface between a managed resource and the IBM® Security Identity server.

Adapters can be installed on the managed resource. The IBM Security Identity server manages access to the resource by using the security system. Adapters function as trusted virtual administrators on the target operating system. The adapter creates, suspends, restores user accounts, and other functions that administrators run manually. The adapter runs as a service, independently of whether you are logged on to the IBM Security Identity server.

The adapter works with the RACF product on a UNIX System Services environment of z/OS.

The adapter:

Receives provisioning requests from IBM Security Identity Governance and Intelligence.
Processes the requests to add, modify, suspend, restore, delete, and reconcile user information from the adapter security database.
Converts the Directory Access Markup Language (DAML) requests that are received from IBM Security Identity Governance and Intelligence to the corresponding adapter Security for z/OS® commands. The Enrole Resource Management API (ERMA) libraries are used for the conversion.
Forwards the commands to a command executor through a series of tscocmd/IRRSEQ00 requests. The command executor receives the formatted command strings and results are collected by the adapter through the same process
Returns the results of the command and includes the success or failure message of a request to IBM Security Identity Governance and Intelligence.

The following figure describes the various components of the adapter.

Adapter

Receives and processes requests from IBM Security Identity Governance and Intelligence. The adapter can handle multiple requests simultaneously. Each request results in execution of a tscocmd based TSO command transaction. The binary files of the adapter and related external files are in the UNIX System Services environment of z/OS (OS/390®).

Command Executor

Operates as either a TSO command transaction (tscocmd based) or a RACF operator command transaction (R_admin API/ IRRSEQ000 based) that is triggered by an incoming request from the adapter. These requests consist of commands. TSO command transactions support reconciliation and ISIMEXIT processing. RACF operator commands support account Add, Modify, and Delete processing. The adapter runs these commands from the UNIX System Services environment and collects the results that are returned by RACF, MVS, and or REXX depending on the specific command to run.

Reconciliation Processor

Operates as a TSO-based or MVS transaction that is triggered from an incoming tscocmd request from the adapter. The request is accompanied by a RACF user ID that is used to do the reconciliation. The ID can be the agent ID or a SURROGAT ID. This user ID can be used for a partial reconciliation that is based on the scope of authority of that ID. See the RACF Security Administrator's Guide for more information about scope of authority.

Scope of authority is referred to as scoped reconciliation.

To enable scoped reconciliations: At adapter installation time, define a VSAM file name for scoped reconciliations. Defining the file name creates the VSAM file and sets the ADK registration value for SCOPING to 'TRUE'. During reconciliation, the adapter verifies whether the VSAM file for scoped reconciliations can be accessed. If so, the adapter completes a scoped reconciliation.
To switch between SCOPED and non-SCOPED: Use 'hlq.SAGRCENU(AGRCCFG)' to either add or remove the VSAM file name for scoped reconciliations and regenerate the jobs in the 'hlq'.CNTL.

Resubmit the jobs and when changing from SCOPED to non-SCOPED, remove the previously defined VSAM file for scoped reconciliations.

The reconciliation processor runs the RACF database unload utility (IRRDBU00), or uses an existing data set that the RACF database unload utility (IRRDBU00) produced. If scoped reconciliation is required, the results of the unload job are filtered.

The reconciliation results are stored in an intermediate data set which is read by the adapter which further processes the results and transfers them to the IBM Security Identity server.

The LOOKUP transaction type uses the (eruid=<userid>) filter in IBM Security Identity Governance and Intelligence for the reconciliation of a single account. This transaction type ensures that no Pdu entries are created for entries that do not match the eruid specified in the search filter in the server request. For debugging this type of processing, more messages for the _ermPduAddEntry process are added in the Base Logging level (BSE). Unfiltered requests or requests with more than one account that is specified in the search filter still result in a full reconciliation that uses the standard SEARCH transaction.

The RACF Adapter creates and manages RACF accounts. The adapter runs in ”agent” mode and must be installed on a z/OS. One adapter is installed for each RACF database. The RACF Adapter can be configured to support a subset of the accounts through the scope of authority in the RACF Service Form (SURROGAT user ID).

Lookup Processor

The LOOKUP operation uses the (eruid=<userid>) filter in IBM Security Identity Governance and Intelligence for the reconciliation of a single account. This transaction is implemented using the Lookup Processor. The Lookup Processor uses a REXX interface to R_Admin (IRRXUTIL) to specifically extract only the data that belongs to the user account that is specified in the search filter.

The tsocmd command processor is used to call the REXX script with the name of the user account to be looked up. The REXX interface script ISIMLOKU is located in the EXEC library along with the ISIMEXIT and ISIMEXEC sample REXX scripts.

Similar to the Full Reconciliation operation, the ISIM LOKU REXX script uses the RECOSAVE data set to store the intermediate results that are returned by IRRXUTIL. Requests, which are not filtered or with more than one account that is specified in the search filter, still results in a full reconciliation that uses the standard SEARCH operation