Connector Guides › Connectors Guide › Connecting to Endpoints › RACF Connector › Connector-Specific Features › Proxy Administration Support

Proxy Administration Support

You can configure a proxy ID for all tasks accomplished within CA Identity Manager. Previously, a proxy ID could only be configured for use with requests generated from the SAWI interface. This proxy ID is maintained on the main Endpoint page in the Proxy Administration Configuration section. The proxy ID can be used for any type of CA Identity Manager request against supported objects, and for any Identity Manager Administrator that is logged on.

Note: The enhancement is only recommended to use after careful consideration (and preparation) of the following consequences:

1. Any Global User (with the proper privileges provided within CA Identity Manager) is able to administer RACF Userids, Groups, and Permissions under the configured proxy ID. Any mainframe security product scoping is lost; only the scoping of the proxy ID is enforced.
2. As mentioned above, security settings are now the only point of enforcement against a Global User manipulating mainframe security data.
3. Any reports or auditing methods against administration of your mainframe security data that originate from the mainframe is now compromised; the only ID that shows up for any administration that occurred from CA Identity Manager is the configured proxy ID.
4. If the proxy ID's password changes on the mainframe, the password must be changed on every Endpoint Page within the Provisioning Manager that it is configured for.

By default, the Connector operates in the same mode as in past releases; the logged-on Global User and their password are used for submitting any requests destined to the mainframe security product. The common endpoint page entitled Endpoint Settings provides two checkbox controls under the description Administrator Credentials that control the three possible settings:

Use logged-in Administrator's credentials

Default setting. Indicates that the logged-in Administrator (Global User) is used as the credentials for ALL requests, even from the SAWI.

Use proxy for SAWI changes

Indicates that the logged-in Administrator (Global User) is used as the credentials for all requests EXCEPT for requests from the SAWI interface. The proxy ID credentials (if available) are used for requests coming from the SAWI interface.

Use proxy for ALL requests

When no checkbox is checked, this indicates that the proxy ID credentials (if available) are to be used for ALL requests.

When any request occurs from CA Identity Manager, these settings are checked against the endpoint where the request is targeted. If, based on the endpoint settings and the type of request (SAWI or otherwise), proxy credentials are to be used, the credentials that are defined for that endpoint are retrieved and used for the request. In the case where endpoint credentials are supposed to be used, but no credentials exist (either Proxy ID or password contains no value), the proxy credentials are not used for the request and the request proceeds using the logged-in Administrator (Global User) credentials.

Note: Proxy IDs must be what are referred to as 'logon-able' user IDs. That means they must be 7 bytes in length or less. 8 byte user IDs are no longer valid.

Note: The check boxes on this tab are for legacy purposes only. You can perform proxy configuration and administration support from the Self-Service interface.