Certificate name filtering
For some applications, directly mapping each client certificate to a user ID is neither practical nor desirable. An alternative is to create one or more certificate name filters using the RACDCERT MAP command. A certificate name filter allows you to associate many certificates with one user ID, based on rules concerning portions of the subject's or issuer's distinguished names in the certificate, such as the subject's corporate affiliation or department. With carefully chosen certificate name filters, a large number of client certificates can be mapped to a limited number of user IDs with very little administrative cost.
This benefit is limited to some degree by a loss of granularity
in access control. For example, if you create a certificate name filter
to map the certificates of all company employees in the Systems division
to user ID SDUSER
, then all such employees are given the
resource authorizations of the user ID SDUSER
. However,
you retain full auditing accountability because the subject's and
issuer's distinguished names in the client's certificate appears in
every audit record created on behalf of the client's unit of work.
This mapping option is explored in detail in Certificate name filtering.