Configuration Parameters for Identity Security Cloud

The following table describes the additional configuration parameters for Identity Security Cloud API (System Configuration and Application Configuration):

The related character set in Identity Security Cloud for the code page used on the Mainframe Connector side. Default value is IBM1047. The value can be modified as follows:

<entry key="IBMcharacterSet" value="IBM1047"/>

Disables the hotpath for all Update Account operations. This prevents the Identity Security Cloud database from updating with all Update operations changes from the managed system. If this parameter is set to true then disableHotpathForChgPwd and disableHotpathForManageAcntOp are ignored and the hotpath is disabled.

Default value is false (hotpath is enabled).

To disable the hotpath for all update operations, set the value to true as follows:

<entry key="disableHotpathForUpdate" value="true"/>

Disables the hotpath for Change Password operations only. If the hotpath is disabled, the connector executes the query and sends the status immediately to improve the performance. By disabling the hotpath, the latest information from the connector is not updated in the Identity Security Cloud database.

Default value is false (hotpath is enabled).

To disable the hotpath for Change password, set the value to true as follows:

<entry key="disableHotpathForChgPwd" value="true"/>

Disables the hotpath for Enable, Disable, and Unlock operations. This prevents the Identity Security Cloud database from updating with all Enable, Disable, and Unlock operation changes from the managed system.

Default value is false (hotpath is enabled).

To disable the hotpath for Enable, Disable, and Unlock operations, set the value to true as follows:

<entry key="disableHotpathForManageAcntOp" value="true"/>

Set unspecified attributes in the schema which are expected to be sent or received by Identity Security Cloud. For example, RU_LOCKED and RU_SUSPENDED. The field is mapped to be locked, so this field is not required in the schema.

Copy 
<entry key="splAccountAttributes">
  <value>
    <Map>
      <entry key="RU_LOCKED" value="false"/>
      <entry key="RU_SUSPENDED" value="false"/>
    </Map>
  </value>
</entry>

Add a connection attribute using the following tags. The tags are Account-Group connection attributes on the Mainframe Connector. The value can be read for an Account in Identity Security Cloud.

Copy 
<entry key="splConnectionAttributes">
  <value>
    <Map>
      <entry key="CONNECTION_ATTRIBUTE_1" value="false"/>
      <entry key="CONNECTION_ATTRIBUTE_2" value="false"/>
    </Map>
  </value>
</entry>

For more information, refer to Support for Connection Attributes.

One connection or group is mandatory to create a RACF account. One of the requested groups is marked as the Default Group for that account.

The USER_ADMIN field for an Account is not in readable format. It contains only numerical keys. To make it readable, you can map the keys to other attributes in the Application definition as follows:

Copy 
<entry key="UserAdminMap">
  <value>
    <Map>
      <entry key="1" value="User"/>
      <entry key="2" value="Auditor"/>
      <entry key="3" value="Administrator"/>
      <entry key="4" value="Both"/>
      <entry key="5" value="Ignore"/>
    </Map>
  </value>
</entry>

Run the aggregation task to view the changes in Identity Security Cloud.

Important
While setting the value of the USER_ADMIN field in Identity Security Cloud, you must enter the value as defined in the Map. For example, the value must be "User" and not 1 if the User value is defined in the Account schema.

If set to true, the Identity Security Cloud application schema synchronizes with the Mainframe Connector.

Default value is true.

For example:

<entry key="syncSchema" value="true"/>

This is the timeout value, in minutes, for messages exchanged between Identity Security Cloud and the Mainframe Connector for a transaction.

Default value is 10 minutes.

For example:

<entry key="smReadTimeout" value="10"/>

The Mainframe Connector, by default, considers the SKIP return code as a success and the WARN return code as a failure. However, in some scenarios it may be required to consider SKIP as failure and WARN as success.

This can be achieved by setting the following attributes with accepted value being either true or false. To implement these changes, add the following entries:

<entry key="failWhenSkip" value="false"/>

<entry key="failWhenWarn" value="true "/>