As with Rex, I deal only with the Connector. The install is kind of kludgy, but it's not bad. If I remember correctly, the security setup for the service accounts (requires two) was not well documented.
Unlike Rex, we use ours for dynamic provisioning right now. Users request and get approvals for entitlements in SailPoint; they are immediately provisioned in RACF. The hardest part, by far, was mapping RACF resources to the SailPoint structures on the other end. They still don't match up quite right (and TSO segments, etc., are still manual; they couldn't figure that out). The folks on that end speak AD; RACF is a foreign concept to them. It took them at least a year, and perhaps eighteen months, to roll it out. A few things if you implement it: Don't wait until it fails--grow your QUEUE file by at least ten times over delivered values right at the start. Expect issues with Aggregation (we use online; offline _sounds_ problematic); it is slow and fails often. The latest Gateway has improved it a lot, but it has taken years. When de-provisioning users, SP disconnects all groups; you will find the need to set up a default group for most/all users with no permits and code that into SP as something it cannot remove. Also, and my biggest gripe, which is only operational: we have a limited number of sysplexes and RACF databases, so dev SP points at the sysprog sandbox; QA SP points at our "production integration" environment, and prod SP points at prod/dev. I do not know how many times I have had to recover the RACF database in dev/QA from the console because the SP folks have deprovisioned all the sysprog accounts; they are also fond of removing groups from the operators, etc. Forgive them, for they know not what they do, I suppose. On the bright side, the user exits are in REXX and are easy to use and implement. Lots of exit points as well. (One we use, for instance, cleans up user datasets and aliases upon deprovisioning.) There are other things I'm forgetting right now; if I think of any, I'll post again. First Horizon Bank Mainframe Technical Support -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Ron Wells Sent: Thursday, July 2, 2020 9:16 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: RACF-SailPoint [External Email. Exercise caution when clicking links or opening attachments.] Unfortunately --- lol What experiences/problems you have had on MF -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Jackson, Rob Sent: Thursday, July 02, 2020 8:14 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: RACF-SailPoint ** EXTERNAL EMAIL - USE CAUTION ** Unfortunately, yes. We run it. First Horizon Bank Mainframe Technical Support -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Ron Wells Sent: Thursday, July 2, 2020 8:29 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: RACF-SailPoint [External Email. Exercise caution when clicking links or opening attachments.] Anyone have any dealing with Sailpoint product.. Email Disclaimer This E-mail contains confidential information belonging to the sender, which may be legally privileged information. This information is intended only for the use of the individual or entity addressed above. If you are not the intended recipient, or an employee or agent responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on the contents of the E-mail or attached files is strictly prohibited. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN Confidentiality notice: This e-mail message, including any attachments, may contain legally privileged and/or confidential information. If you are not the intended recipient(s), or the employee or agent responsible for delivery of this message to the intended recipient(s), you are hereby notified that any dissemination, distribution, or copying of this e-mail message is strictly prohibited. If you have received this message in error, please immediately notify the sender and delete this e-mail message from your computer. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN Email Disclaimer This E-mail contains confidential information belonging to the sender, which may be legally privileged information. This information is intended only for the use of the individual or entity addressed above. If you are not the intended recipient, or an employee or agent responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on the contents of the E-mail or attached files is strictly prohibited. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
