Recommendations for Custom Mapping ACF2

imgc
If you must use a custom configuration, use this information to help you map attributes in CA Identity Governance to objects on the endpoint.
Icon
Important!
We recommend that you use a template instead of a custom mapping. If you use a custom configuration, contact CA Support for advice before you begin.
Follow these steps:
  1. Follow the steps in Define an Import Connector.
    In Step 5d, select
    Use custom configuration.
  2. Follow the steps in Define a Custom Configuration for the Endpoint in the
    CA Identity Governance Configuration Guide
    .
    In Step 3, you can use the following table to help you decide how to set up the mapping. The following table lists a possible way of mapping objects.
    Note:
    Map the account and at least one other attribute.
Object in CA ACF2
Description
Object in CA Identity Governance: Shallow Mapping
Object in CA Identity Governance: Deep Mapping
Account
Represents an individual in CA ACF2, defining both users and their privileges.
This object contains the logonid and password that a user must specify to enter the system. These fields also contain other information that CA ACF2 uses to validate the authority of the user.
Account
Account
UID Role
Represents a UID-based role within CA ACF2.
UID roles are not actually objects within CA ACF2. They are an object created by the connector from UID mask associations between users and data sets or resources.
Resource
Role
XREF Role
Represents an X-ROL (cross-reference role) in CA ACF2.
In CA ACF2 r14, X-ROLs were introduced to allow for hierarchical role-based associations between users and data sets or resources.
Resource
Role
Data Set
Represents a CA ACF2 access rule. It does not represent an actual mainframe data set. Instead, it specifies which users can access an individual data set or a group of data sets, any conditions for that access.
In CA ACF2, the default is to deny access.
-
Resource
Resource
Represents a CA ACF2 resource rule. It does not represent an actual mainframe resource. Instead, it specifies which users can access an individual resource or a group of resources, any conditions for that access.
In CA ACF2, the default is to deny access.
-
Resource
  1. Follow the remaining steps in Define an Import Connector.
Note:
To see a list of attributes that the CA IAM Connector Server passes to CA GovernanceMinder, see this page.
Note
: For CA Identity Governance, this connector offers shallow mapping only. The connector models endpoint permissions as resources. The connector cannot model provisioning roles and account templates as roles. For more information, see Deep and Shallow Use Cases.