10. Map Enterprise IDs to Mainframe User Names

Your users’ enterprise user names (used for authenticating) must be mapped to their mainframe user names (used for authorization) so that the automated sign-on macro can log on directly to the mainframe application.

Mainframe user names can be stored in different ways. Determine which data store option fits your environment and whether you need to change the existing schema.

In brief, the administrator will:

• Choose a data store option
• Implement identity mappings and data storage

Choose a data store option

There are two options:

• An authenticating directory with primary user objects
• An authenticating directory plus a secondary directory

To help you decide, read through the conditions and scenarios described for each option.

An authenticating directory with primary user objects

Conditions

• Mainframe user names are stored on the same LDAP directory that is used to authenticate your users.

• Every user has a single unique object.

• Each object has multiple attributes.

• An attribute is needed to search for mainframe user names.

Implementation scenarios

1. Add an attribute to an object.

   Advantages:

   • The LDAP schema is similar to a template.

   • One user can have multiple mainframe user names (attributes).

   Disadvantage: Requires a change in schema.

2. Re-purpose an unused attribute.

   Advantage: No change in schema is required.

An authenticating directory plus a secondary directory

Conditions

An LDAP directory is used to authenticate users.

Mainframe user names are stored on a separate LDAP directory that is not used for authentication.

Implementation scenario

Set up a separate LDAP server and create a new set of objects – one per user – in the second directory.

The LDAP search filter would:

1. Find the user's object with the attribute and

2. Find the attribute within the object that has the mainframe user name.

Advantages:

• The object is stable over time.

• Using Assign Access (in MSS), several options are available for searching the second LDAP directory and authorizing users to use automated sign-on:

• Select UPN as the key to a secondary LDAP search filter.

• Specify the LDAP attribute in the authenticating directory from which the UPN is obtained.

• Select an LDAP attribute value in the authenticating directory as the key to a secondary LDAP search filter.

• Select a literal value

Disadvantage:

This scenario requires two LDAP directories.

Implement identity mappings and data storage

The administrator must create a data store of identity mappings. The mapped data relates a user's enterprise identity (such as a smart card) to his or her mainframe user name identity. Users may have more than one mainframe identity based on the applications they are entitled to access.

The text of the mappings must be provided in a format (such as CSV) that can be uploaded and searched. The administrator may choose to work with Consulting Services to prepare the identity mappings.

Configuration tasks: Identity mapping

1. Identify the data store option that you selected above, either

   • an authenticating directory with primary user objects — or —

   • an authenticating directory plus a secondary directory

2. Gather the data for the identity mappings:

   • Enterprise (authenticating) IDs, recognized by the MSS Administrative Server.

   • Mainframe User names (RACF IDs), recognized by RACF.

   For example, a user might have the following identities.

   Enterprise ID - CN=Joe User,OU=Users,DC=my-org,DC=com

   Mainframe User name (RACF ID) - TSOS2W3

   Note

   A user can have multiple mainframe user names, based on their roles (such as end user or admin) and on the applications they are entitled to access.

3. Populate the data store with the mappings.

When the identity mappings are in place, continue with assigning access to the automated sign-on for mainframe sessions.