Hi all,
we are configuring the RACF connector in SailPoint Identity Security Cloud and we have a question about the Create Account provisioning policy.
Our RACF requirement is that accounts should normally be created as protected users, without assigning a password during the standard account creation process.
In RACF terms, the expected result should be equivalent to creating the user with NOPASSWORD / protected user behavior.
In the SailPoint RACF connector documentation, the Create Profile Provisioning Policy Attributes page lists the following relevant generators/attributes:
- USER_ID
- password
- UG_DEF
The documentation describes the password generator as “The password for RACF”.
This creates a doubt for us, because our RACF process requires accounts to be created without a password, as protected users. Only in rare cases, if a user needs specific interactive access, the password is handled manually by the mainframe team outside the standard SailPoint create account flow.
Our questions are:
1. Does the ISC RACF connector support creating a RACF account as a protected user without providing a password?
2. If yes, what is the recommended configuration in the Create Account provisioning policy?
-
Should the password generator be disabled?
-
Should it be left empty/null?
-
Is there a specific attribute or connector configuration to send NOPASSWORD?
3. If the password field is mandatory in the Create Account policy, what is the recommended approach for customers whose RACF account creation process requires protected users by default?
4. If we provide a password just to satisfy the required field, would the resulting RACF user no longer be considered protected? We want to avoid creating accounts that are not aligned with the RACF security model.
Any guidance or confirmed implementation pattern for this scenario would be appreciated.
Thanks.