|
|
|
Using Profiles with Account Templates
When using CA Top Secret profiles in an account template, there are additional issues to consider. First, because the order of profiles on an ACID are critical to the permissions of that ACID and because LDAP does not provide a guarantee of that order, we recommend entering all profiles on a single account template when the order is imperative. Second, when CA Identity Manager processes account template changes, the current profiles from the ACID record are removed and the profiles from the account template are added. If you have modified the list of profiles attached to the ACID outside of CA Identity Manager, these modifications are lost. Finally, the Profile drop-down list is generated based on the exploration of the z/OS host. If changes are made through CA Top Secret or by adding an ACID of TYPE=PROFILE in CA Identity Manager, you must perform an explore at the profile level to ensure that the information in CA Identity Manager and CA Top Secret coincides.
There may be instances where profiles do not exist, or it may not be advantageous to establish one for small variations in access authorities, or you may want to set values that are not supported in a profile record. If individual attributes are needed or are going to be used on an account template, we recommend that you establish policies based on the different segments in CA Top Secret. That is, an account template can control TSO information, another may control OMVS, and another may set MISC or PROFILE values. Combined, these policies completely define an ACID's attributes.
The advantage of using this methodology is that it provides a flexible interface to update certain key information in multiple ACIDs with the least amount of overhead. For example, one account template has values that control TSO authorities and is called TSOUser. Another is called TSOProgrammer and has different, expanded TSO authorities. If your provisioning role has the TSOUser account template assigned to it, but you want to provide the users with increased capabilities, you can change the provisioning role to point to the TSOProgrammer account template, and then synchronize the provisioning role. This grants the authorities for TSO based on the TSOProgrammer account template to the users assigned to that provisioning role. If this is a temporary change to last only the length of a project, change the provisioning role back to point to the TSOUser account template when the project is complete and synchronize again. This results in removing those attributes and reapplying the original values. A couple of mouse clicks and you have potentially updated numerous ACIDs with a standard set of attributes and the only attributes affected were those of TSO.
As a general rule, it is always a good practice to run a Check Sync command before doing the actual synchronization. This allows you to validate that the changes you made are the only changes to send to CA Top Secret and you are not affected by a change made to an account template that was not synchronized at an earlier date.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |