Implementing Db2 support for distributed identity filters

A distributed identity filter is a RACF® mapping association between a RACF user ID and one or more distributed user identities. You can use the RACF RACMAP command to associate a distributed user identity with a RACF user ID.

About this task

Db2 provides support for z/OS® identify propagation and distributed identity filters. You need to create distributed identity filters to take advantage of this support.

Procedure

To create a distributed identity filter:

  1. Activate the RACF general resource IDIDMAP class and enable it for RACLIST processing by issuing the following command: 
    SETROPTS CLASSACT(IDIDMAP) RACLIST(IDIDMAP)
  2. Define a distributed identity filter and associate the distributed user name with a RACF user ID by issuing the RACF RACMAP command.
    To define a filter for a non-LDAP user name, specify the user name as a simple character string to be defined in a non-LDAP registry. Suppose that the distributed user name is 'MARY' which is defined in user registry 'Registry01'. If you want to map this user name to RACF user ID 'DB2USER1', you can issue the RACMAP command, as follows
    RACMAP ID(DB2USER1) MAP
  USERDIDFILTER(NAME('MARY'))
  REGISTRY(NAME('Registry01'))
  WITHLABEL('Filter for MARY from Registry01')
  3. Refresh the IDIDMAP class profile by issuing the following command: 
    SETROPTS RACLIST(IDIDMAP) REFRESH
  4. If necessary, review the distributed identity filter by issuing the following RACMAP LISTMAP command: 
    RACMAP ID(DB2USER1) LISTMAP
    If the new filter is successfully created, the following ouput is returned:
    Mapping information for user DB2USER1:
  Label: Filter for MARY from Registry01
  Distributed Identity User Name Filter:
    >MARY<
  Registry name:
    >Registry01<

Results

The new filter assigns RACF user ID DB2USER1 when the distributed identity is user MARY from Registry01. When user MARY authenticates her identity at her distributed application server and performs tasks that access a remote Db2 server system, Db2 passes distributed user name MARY and registry name Registry01 as character strings to RACF.

During Db2 remote connection processing, Db2 calls the RACF RACROUTE REQUEST=VERIFY ENVIR=CREATE macro service. RACF uses these data values to search the IDIDMAP profiles for a matching filter. RACF finds the matching filter labeled 'Filter for MARY from Registry01 and assigns it the DB2USER1 user ID. The remote connection then executes its transactions with the authority of the DB2USER1 user ID. If in place, audit records for this transaction contains both RACF user ID DB2USER1, distributed user MARY, and registry name Registry01 that Db2 passes to RACF.