Hi Experts,
I am onboarding AS400 (IBM i) connector, The application team is not sure about all the access items which should be marked as entitlements in ISC when we onboard this application.
By default, I see SUPGRPPRF and AUTL is marked as entitlement and for SUPGRPPRF the type added is group (in entitlement schema types).
Please help me understand this connector and finalizing the entitlements.
Regards,
Shekhar Das
It depends on whether or not they utilize supplemental group profile (SUPGRPPRF) and whether or not they assign authorization lists (AUTL) directly or if they get inherited from the group profile (GRPPRF). Think of GRPPRF and SUPGRPPRF as group objects and AUTL as individual authorizations that can be tied to those groups.
The last time I had a project with iSeries, the client said that 90%+ of users were all assigned a single GRPPRF upon account creation, and they often did manual changes as needed after that. For this use case, I converted the GRPPRF attribute to an entitlement so that we had something requestable for account creation.
All that to be said, you need to find out how they typically provision accounts today and make ISC line up with their practices where possible.
Hi Shekhar,
The connector exposes AUTL and SUPGRPPRF as entitlements because these objects are commonly used to grant and manage access on IBM i systems. Rest check with your application team that what are required access are being entitled to user account in IBM system so that accordingly you can mark the required access as entitlements while aggregating the user access.
IHTH 
How is this any different from what I said apart from you having an LLM clean up the format for you?
Not to mention this time when you posted it you made sure and exclude the part where the LLM was telling you about how to respond
I changed my previous resolution comments and provided a revised one with the suggested approch to conclude the Entitlements in IBM connectors.
@mcheek @pkMishra Thank you very much for your responses.
The application team shared the list of attributes along with SUPGRPPRF. Please find the below list:
SCPAUT, GRPAUT, USRCLS
When I am configuring these in Entitlement Type Schema and run aggregation it shows success but returns Zero entitlements. When we check in VA logs it shows it returns null.
Please suggest if we should add types or directly mark as entitlement in account schema.
Next thing which bothers me is whether the connector will be able to add or remove those entitlements.
Regards,
Shekhar Das
You can mark the specific list of entitlements provided by application under account objects as Entitlement.
In case if you see any missing entitlements in list then feel free to add it as a new attributes under account schema and change it setting accordingly by marking it as Entitlements.
USER DEFINED authority in the authorization list is not supported for provisioning operations. For more information refer to below link for your reference: Authorization List
I would say configure everything and then test it by removing or adding entitlements to user account so that it can help you to know which authorized list are allowed to be add or remove.
