Locked Accounts in the Connector

Important
Locked Accounts feature requires Online Interceptor to be running consecutively.

Locked Accounts is a CTSACF Feature:

Feature Name Level Default custom field name RSSPARM Parameter
Locked Account Support User CTSLKACT LOCKED_ACCOUNT_CFNAME

In order for the Connector for RACF to return the appropriate values in the RU-LOCKED, RU_SUSPENDED and RACF_REVOKE_REASON keywords, the connector has to know:

  • The account status – revoked or resumed

  • The revoke reason for revoked accounts

Users in RACF can be revoked for several reasons:

  • Excessive password attempts

  • Inactivity period

  • ALTUSER command with the REVOKE parameter

  • Revoke date

Users in RACF can be resumed for two reasons:

  • ALTUSER command with the RESUME parameter

  • Resume date

When a user becomes revoked, RACF does not save the reason in the user record. The revoke reason can be determined by analyzing the SMF record written by RACF when revoking a user (except for revoke because of revoke date). An SMF record is also written when a user is resumed because of an ALUSR RESUME command.

The RACF SMF records are seen by the Connector Online or Offline interceptors. In order to make the revoke reason available when the Connector retrieves the user data, the interceptors analyze the SMF records and determine the user status. For revoked users, they determine the revoke reason and keep it in CTSLKACT custom field in the user record. For resumed users, they set a special revoke reason indicating that resume was done, for further processing by the Connector server. Now the revoke reason is available for the Connector server when having to determine the account status and whether it is Locked or Suspended.

When a user is revoked or resumed as a result of a request from SailPoint, the Connector server knows the revoke reason and can set it in CTSLKACT custom field.

Revoke reasons set in CTSLKACT custom field:

  • P - Excessive password attempts.

  • I - Inactivity period

  • C - ALTUSER command with the REVOKE parameter

  • D - Revoke date

  • ? - Unknown. The user was resumed by a command but it has to be checked if it is actually resumed, or revoked because of revoke date.

The CTSLKACT custom field does not exist in the user record when:

  • The user is active.

  • The user is revoked but the revoke reason is not known. This will be the case after initial activation of the feature.

When a user is retrieved by the Connector, it determines the user status and revoke reason according to the user data. There are some special cases that need special attention from the Connector server:

  • When the user is revoked by date and has a revoke reason of '?', it will set the appropriate revoke reason in the CTSLKACT custom field.

  • When the user is revoked with no revoke reason, the Connector will check the revoke date to determine if the user is revoked because of date. If it is, it will set the appropriate value in CTSLKACT custom field.

  • When the user is active (was resumed because of resume date) but still has a revoke reason, it will remove the revoke reason by removing CTSLKACT custom field from the user record.

When the Connector interceptors or the Connector server set a revoke reason in CTSLKACT custom field, a message is issued to STDMSG file indicating that the user record was changed.

To implement support for Locked accounts:

  1. Stop the Connector for RACF Gateway and servers by specifying the following command:

    P CTSGATE

  2. Stop the Online interceptor, if active, by specifying the following command:

    P CTASONI

  3. The default name of the custom field used for revoke reason is USER.CSDATA.CTSLKACT.

    If you wish to change this name:

    1. Edit member RSSPARM in the Connector PARM library.

    2. Insert the following parameter:

      rss_name LOCKED_ACCOUNT_CFNAME <-custom-field-name >

      Where <custom-field-name> is the last qualifier (after USER.CSDATA) of the custom field to be used for revoke reason.

    3. Save the member.

  4. Define the custom field to be used for revoke reason to RACF.

    The custom field should be defined with the following attributes:

    • TYPE(CHAR)

    • MAXLENGTH(1)

    • FIRST(ANY)

    • OTHER(ANY)

    • MIXED(NO)

    Custom Fields are described in "Defining and using custom fields" chapter in IBM's RACF Security Administrator Guide.

  5. Restart the Connector for RACF Gateway and servers by specifying the following command:

    S CTSGATE

  6. Restart the Online Interceptor, if needed, by specifying the following command:

    S CTASONI

  7. Aggregate all Accounts in order to set revoke reason for users revoked because of revoke date. The initial revoke reason for users revoked for other reasons will be empty since the connector cannot determine the revoke reason.

From this point on, the revoke reason will be updated by the Connector components according to changes in users status.