Handling account attributes

Customer data fields (CSDATA_*) can be managed by the Mainframe Connector 7.0.1+. You can add target system attributes at the target system type or target system level for custom fields that are to be managed in Bravura Security Fabric .

These attribute can be set on account creation or updated on existing user accounts.

The TopSecret network resource update operation (NRUP) allows changes to ACLs to programs and dataset. This requires:

The operation parameter (resourcetype) is the TSS resource class. (for example, DSNAME and TSOACCT).

The operation parameter (resourceaddress) is the resource name.

The following account attributes can be mapped to a request-only attribute to set the flags on the network resource update:

To submit requests for network resources in Bravura Security Fabric 6.2.1 or higher, you must use the IDSYNCH REQUEST REWRITE PLUGIN to add the resources operations to the request.

The RACF network resource update operation (NRUP) allows changes to ACLs to programs and dataset. This requires:

The operation parameter (resourcetype) is the resource class (for example, DATASET, FACILITY, PROGRAM). The operation parameter (resourceaddress) is the resource class profile.

The following account attributes can be mapped to a request-only attribute to set the flags on the network resource update:

Information on the PERMIT command can be found here:

http://publib.boulder.ibm.com/infocenter/zos/v1r12/topic/com.ibm.zos.r12.icha400/permit.htm#permit

To submit requests for network resources in Bravura Security Fabric 6.2.1 or higher, you must use the IDSYNCH REQUEST REWRITE PLUGIN to add the resources operations to the request.

Bravura Security Fabric uses the following attributes supplied by the agtracf to control behavior on RACF target systems:

BASE_REVOKE This attribute is present on listing and set to "T" if an account is revoked. To revoke an account using the BASE_REVOKE attribute, the value set needs to be "YES".

BASE_REVOKEDT If the revoke date is set on the account, this is listed in BASE_REVOKEDT. To remove the revoke date on the account, this account attribute needs to be set to "NO". Otherwise, the date (YYYY-MM-DD) will be set as the revoke date for the account.

BASE_RESUME This attribute is not listed by default (BASE_RESUME omitted implies "T"). To resume an account using the BASE_RESUME attribute, the value set needs to be "YES".

BASE_RESUMEDT If the resume date is set on the account, this is listed in BASE_RESUMEDT. To remove the resume date on the account, this account attribute needs to be set to "NO". Otherwise, the date (YYYY-MM-DD) will be set as the resume date for the account.

In both cases, if BASE_RESUME or BASE_REVOKE are set, the date is ignored. To update the status flag and date, two requests need to be submitted (Just as the native ALTUSER RESUME/REVOKE operates).

On the ACF2 targets, the ACTIVE and EXPIRY attribute is listed and set with an ISO formatted date (YYYY-MM-DD). When updated on the ACF2 target, the default format (mm/dd/yy) is used. If ACF2 is configured differently, the behavior can be set with the registry entry in:

HKLM\SOFTWARE\Bravura Security\Bravura Security Fabric\<instance>\

Entry name ACF2_DATE_FORMAT

Value

Data type DWORD

Default 0