role based access control in ACF2

Discussion created by HansMortier on Nov 21, 2016
Latest reply on Feb 8, 2019 by HansMortier



We're implementing an identity management software in our company (IIQ) that connects to several platforms (AD, MF (ACF2), etc...). That product works with roles. A logonid there may have several roles assigned to him.
Our ACF2 setup is currently UID based. We are using multi valued UID strings. A logonid may have up to 5 UID's in our case.
I know of the existence of X-ROL records in ACF2 and how that works. I also had a meeting with CA on their implementation of role based access control in ACF2. But I was wondering if anyone has performed a migration from UID based accesses to X-ROL records and is willing to share his experiences here (or just has something to say on implementing role based access control in an ACF2 environment):


  • Did you perform a complete migration (all UID accesses translated to ROLE accesses) ? If not, why ?
  • How did you migrate (rulesets cannot have both UID rules and role rules at the same time which makes it hard to migrate).
  • Any tooling that might be handy here ? (EKC has some tools available, CA too, others ?). Any experiences with them ?
  • How many roles are logonids typically in ? Did you notice any change in performance / cpu consumption ? I suppose it makes a difference if a role is first in the validation list of a logonid or if it's placed further up.
  • Any other attention points ?