When a distributed user authenticates on a Web-based application server and takes an action that causes a supported transaction to be sent to the z/OS® system, RACF® receives the user's distributed user and registry names as character strings of UTF-8 data. When the IDIDMAP class is active and RACLISTed, RACF uses the UTF-8 data to search IDIDMAP profiles for the distributed identity filter that contains the name values best matching the data. When the best matching filter is found, RACF assigns a RACF user ID.

You can specify user and registry name values in the distributed identity filter to map a RACF user ID using a one-to-one match or a many-to-one match. In other words, you can define a filter that assigns a RACF user ID to only one distributed user, or you can define a filter that assigns the same RACF user ID to multiple distributed users.