Connection Attribute Management

Connection Attribute Management enables you to manage System Privileges and Connection Privileges.

System Privileges

The SYSTEM_ACCESS attribute in the Account schema manages system privileges.

The Account aggregation fetches SYSTEM_ACCESS properties along with other properties of the account. SYSTEM_ACCESS manages the following attributes:
- SPECIAL
- OPERATIONS
- AUDITOR
- ROAUDIT
SYSTEM_ACCESS is a multi-valued entitlement attribute. So, the values SPECIAL, OPERATIONS, AUDITOR, and ROAUDIT are added as an entitlements in the Entitlement Catalog.
SYSTEM_ACCESS supports provisioning operations and certification like any other entitlement attribute.

Important

If the SYSTEM_ACCESS attribute is sent through the provisioning plan along with the USER_ADMIN and OPERATIONS attributes then USER_ADMIN and OPERATIONS are ignored.
SYSTEM_ACCESS attribute creation is not supported in Identity Security Cloud. Only the SYSTEM_ACCESS attribute with values SPECIAL, OPERATIONS, AUDITOR, and ROAUDIT are supported.

Configurations for System Privileges

Add SYSTEM_ACCESS as a string attribute in the Account schema by selecting the following in Advanced properties:
- Entitlement
- Multi-Value
- Managed
Enable Manage Privileged Access so the connector manages Connection privileges.
Apply the PRT version FSD0134 or later on the SailPoint Connector for RACF version 4.0.01.

Note
For more information on the Mainframe E-Fixes and PTF's, refer to Mainframe E-Fixes.

Connection Privileges

Connection Privileges indicates the privilege(s) an account has on a RACF group.

During group aggregation, SailPoint creates three additional groups for each group that it receives from RACF system. The three additional groups are named in the following format:

where:

<Connecton Privileges> can be:

SPECIAL
OPERATIONS
AUDITOR

<Group Name> is the name of the group that SailPoint receives from RACF system.

For example, if SailPoint receives a Group named ENGG from RACF during group aggregation, four groups are added:

ENGG
SPECIAL.ENGG
OPERATIONS.ENGG
AUDITOR.ENGG

These four groups can be requested and certified like any other entitlements.

The connection privileges can be managed with add and remove entitlement operations. For example, if an add access request is sent for an account for a user named John to connect to SPECIAL.ENGG, then John's account with the ENGG group will have SPECIAL privileges on RACF.

SailPoint displays the following connections on John's account:

ENGG
SPECIAL.ENGG

Configurations for Connection Privileges

The connection privileges can be enabled by adding the following attribute using the REST API:

POST <url>/api/source/update/<sourceID>

where:

<url> is the URL for the customer's Identity Security Cloud instance
<sourceID> is the Source ID (number) obtained through the UI

In the body of the POST, set form-data values as follows:

key – key name of the entry. Use connector_CONNECTION_ATTRIBUTES.
value – true

Note
Delete the OWNER attribute if it exists in the splConnectionAttributes section.

Feedback is provided as an informational resource only and does not form part of SailPoint's official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.


	You are here:

Connection Attribute Management

System Privileges

Configurations for System Privileges

Connection Privileges

Configurations for Connection Privileges

Documentation Feedback