z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Using a many-to-one match

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

A filter that maps the same RACF® user ID to multiple distributed users contains filter values that are specified in any of the following ways.
  • The registry name value is specified as a single asterisk (X'5C') to indicate that any registry name matches the registry portion of the filter.
    • When you specify the registry name in this way and you specify a user name value, the distributed user's name must exactly match the user name value in the user portion of the filter.
    • When you specify each of the user and registry name values as an asterisk, any distributed user's name from any registry matches the filter.

      This type of filter is called a default RACMAP filter. For more information, see Adding a default RACMAP filter.

  • The user name is specified in one of the following ways:
    • As an X.500 distinguished name (DN) that includes selected RDNs that are common to multiple distributed users. Depending on the particular LDAP registry, the specified DN would likely omit the UID or CN components.
      • When you specify the user name in this way and you also specify a registry name value, the distributed user's registry must exactly match the registry name value in the filter, and the distributed user's name must match one or more RDNs in the user name value of the filter, in the manner described in Details about searching for a filter that matches a user's DN.
      • When you specify the user name in this way and you specify an asterisk as the registry name, any user's DN that matches one or more RDNs in the user name value of the filter, in the manner described in Details about searching for a filter that matches a user's DN, matches the filter regardless of user registry.

      For an example of how RACF searches for a filter that contains selected RDNs, see Results for defining a filter using selected RDNs.

    • As a single asterisk (X'5C') to indicate that any user name matches the user portion of the filter.
      • When you specify the user name as an asterisk and specify a registry name value, only the distributed user's registry must match the registry name value in the filter. Any distributed user from the specified registry matches the filter.
      • When you specify each of the user and registry name values as an asterisk, any distributed user's name from any registry matches the filter.

        This type of filter is called a default RACMAP filter. For more information, see Adding a default RACMAP filter.

Parent topic: How RACF matches filter values

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014