We're implementing an identity management software in our company (IIQ) that connects to several platforms (AD, MF (ACF2), etc...). That product works with roles. A logonid there may have several roles assigned to him.
Our ACF2 setup is currently UID based. We are using multi valued UID strings. A logonid may have up to 5 UID's in our case.
I know of the existence of X-ROL records in ACF2 and how that works. I also had a meeting with CA on their implementation of role based access control in ACF2. But I was wondering if anyone has performed a migration from UID based accesses to X-ROL records and is willing to share his experiences here (or just has something to say on implementing role based access control in an ACF2 environment):
- Did you perform a complete migration (all UID accesses translated to ROLE accesses) ? If not, why ?
- How did you migrate (rulesets cannot have both UID rules and role rules at the same time which makes it hard to migrate).
- Any tooling that might be handy here ? (EKC has some tools available, CA too, others ?). Any experiences with them ?
- How many roles are logonids typically in ? Did you notice any change in performance / cpu consumption ? I suppose it makes a difference if a role is first in the validation list of a logonid or if it's placed further up.
- Any other attention points ?