Function
The R_usermap service enables z/OS® application servers to determine the application user identity associated with a RACF® user ID, or to determine the RACF user ID associated with an application user identity or digital certificate, except for Identity Propagation in which case a user's Distinguished Name and a Registry/Realm Name will be used to determine the associated RACF user ID, but not the reverse. Examples of applications supported are RACF user ID, application user identity, application, Lotus Notes for z/OS and Novell Directory Services (NDS).
This service can only map application user identities which have
already been defined to RACF:
- For Lotus Notes for z/OS, the RACF USER profile must have an LNOTES segment containing a short name. This can be added with the ADDUSER or ALTUSER command, or the R_admin callable service.
- For NDS for z/OS, the RACF USER profile must have an NDS segment containing a user name. This can be added with the ADDUSER or ALTUSER command, or the R_admin callable service.
- For digital certificates, the certificate must be associated with a RACF user ID through automatic registration or with the RACDCERT command.
- For Security Server Network Authentication Service, local Kerberos principals require a RACF USER profile with a KERB segment containing a principal name. Foreign Kerberos principals must be defined to RACF using KERBLINK profiles.
- For Identity Propagation, the distributed identity (user's Distinguished Name) must be associated with a RACF user ID. Use the RACMAP command to create the association between the distributed identity and a RACF defined user ID (this association is also known as a ‘filter’).
- For e-mail, the RACF USER profile must have a WORKATTR segment containing an e-mail address. This can be added with the ADDUSER or ALTUSER command, or the R_admin callable service.