How To Add of a GROUP and with CA

Document ID : KB000010693
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

 

 

- I took a working ldif for adding a profile as it follows: 


dn:tssproflist=tsi--opa,tssacidgrp=proflist,tssacid=xalex,tssadmingrp=acids,host=otea,o=bmw,c=de 
changetype: add 
objectClass: tssproflist 

and tried to adapt the hierachy for groups, but I had no way to be successful. 

Environment:
z/OS TSS r16.0 CA Ldap r15.1
Instructions:

 

 

- Indeed it's quite simple. PROFILE and GROUP work the same.

 

- To add a GROUP or remove a GROUP, you have to use the same syntax like for the profile. 

   I.e. replace your profile name with the group name you want to add. 

 

- And to add a DFLTGRP to an acid, here it is a ldif file:

dn: tssacid=myacid,tssadmingrp=acids,host=myhost,o=ca,c=us 
changetype: modify 
replace: OMVS-Dflt-Group 
OMVS-Dflt-Group: MYGROUP 

 

Additional Information:

 

- Per TSS doc: 


https://docops.ca.com/ca-top-secret-for-z-os/16-0/en/using/issuing-commands-to-communicate-administrative-requirements/keywords/group-keyworddefine-groups-to-an-acid 

You can add a group, but there is no before/after. For this reason the GROUP attribute is not a separate object like a profile, it's an attribute on the base acid DN. 

- Per LDAP doc: 


https://docops.ca.com/ca-system-z-security-communication-servers-dsi-ldap-pam/15-1/en/configuring/configuring-ca-ldap-server/configure-the-catss_utf-backend/user-friendly-name-override-file-ca-top-secret-to-ca-ldap-server/objectclass-tssacid-tssprofile-tssdept-tssdiv-tsszone-tssgroup 

attribute groups is to be used to add a group or groups to an acid. It's also doc'd as multi value.