Overcome any RACF user creation or access challenge

In this blog, let’s go through few challenges and see how can these be solved using IdentityForge RACF connector

Challenge 1: Creating a stock RACF user with access

Most manual processes used to manage user id creation and access on RACF today involves creating a user on RACF. However, a stock id created on RACF is of no use unless few additional privileges are provisioned on the user id. For example, few tasks include but are not limited to are providing TSO access, providing specific dataset access etc. These steps are almost manual in nature and could take up days for the usually busy admin teams to provide access. This leads to loss of productivity for the newly onboarded user and multiple rounds of requests to the admin teams if the access is not provisioning right first time.

Solution: Use the IdentityForge RACF connector to create identities and provision access to segments such as TSO, OMVS, CICS, NETVIEW, DFP, and custom attributes in a single request. The RACF connector also provides post-processing utility to execute some organization-specific custom commands after the user creation. This utility executes custom commands after user creation. The utility has a provision to send dynamic parameters such as a dataset that needs to be created and refreshed after the user creation. The post-processing script can be written in REX and can use the specific parameters sent as part of the user creation request to perform the additional steps required to complete the user creation. This simplifies the user creation activity and sets up the user with all the required privileges right the first time. The development of the custom post-processing script is a one-time setup activity.

Use Case: One of the large corporations having hundreds of LPARS is using the post-processing utility to assign and refresh the catalog (dynamically provided with the user creation request) for the user. This has solved a unique case and avoided the manual step to setup the catalog access separately.

Challenge 2: Delays in getting information directly updated on the RACF system

Most of the user and access information is made available to the IAM systems for certification activities. However, if there are updates made to the user profiles directly to the RACF system,  the IAM system has to wait for getting the full reconciliation data to fetch the latest updated information. This could take up to 2/3 weeks depending upon the full reconciliation frequency setup and the amount of data. Customers having larger data sets (200K+ user records) usually do a full reconciliation every two weeks. This could lead to delays in user deprovisioning, access revocation, and stale data used for certifications.

Solution: Use the IdentityForge RACF connector’s real-time reconciliation utility to provide the latest updates to the IAM systems. The IdentityForge RACF connector intercepts real-time updates to RACF objects and provides the information in real-time to the identity management systems. This information can then be used to generate certification reports with near real-time information from the RACF systems.

Use Case: One of the largest banks is using real-time reconciliation utility to get updates made directly to the RACF systems. The delta recon setup on IAM system (scheduled every two hours) then reads just the changes for the last two hours and has the latest updated information available for the access management activities.

 Challenge 3: Unavailability of the dataset access information for dataset certification

Most IAM systems while managing RACF objects can manage users and groups. However, they lack the information on dataset access and therefore lack the ability to do periodic dataset certifications. Depending upon the organization’s policy, this could be important and could lead to compliance issues.

Solution: Use the IdentityForge RACF connector to retrieve the dataset access information such as user and the access level (READ, WRITE, ACCESS). This can be used to perform periodic access certifications at the dataset level.

 In addition to the above, the IdentityForge RACF connector does have the capability to manage group and dataset memberships, use complex passphrases, create system accounts (NOPASS), support special characters in passwords, and lot of other features out of the box for simplifying RACF identity management.