Define the user name portion of the
distributed identity filter using
the USERDIDFILTER operand. You can specify the user name in any of
the following three formats.
- As a single asterisk (X'5C') to indicate that any user
name matches this portion of the filter.
- As a simple character string, such as a user ID or user name defined
in a non-LDAP registry.
- As a character string that represents an X.500 distinguished name
(DN), as defined by RFC2253 from the Internet Engineering Task Force
(IETF).
A DN consists of one or more relative distinguished names
(RDNs). Each RDN® consists of
an attribute type and attribute value, separated by an equal sign
(=). RDNs are separated by a comma (,).
When
you specify the user name as an X.500 DN, you must specify the value
in its canonical form, as it is defined within the user registry with
the RDNs specified in their correct sequence.
For example, for
users of WebSphere® Application
Server applications, the canonical form of the user name must match
the value returned by the WSCredential interface
method called getUniqueSecurityName().
Note: When
you specify the user name as an X.500 DN, the name is normalized before
it is stored in the IDIDMAP profile. The normalized form of the DN
appears in the output of the RACMAP LISTMAP command. For details about
how the DN is normalized, see the description of the USERDIDFILTER
operand of the RACMAP MAP function in z/OS Security Server RACF Command Language Reference.
Examples of user names:
USERDIDFILTER(NAME('DENICE'))
USERDIDFILTER(NAME('UID=BobC,CN=Bob Cook,OU=Accounting,O=BobsMart,C=US'))
USERDIDFILTER(NAME('OU=Accounting,O=BobsMart,C=US'))
USERDIDFILTER(NAME('*'))
For complete syntax details for defining the USERDIDFILTER value
using the RACMAP command, see z/OS Security Server RACF Command Language Reference.
The user name value is stored in the IDIDMAP profile as the profile
name in UTF-8 data. For information about the encoded UTF-8 data in
IDIDMAP profiles, see Restrictions for UTF-8 data values.
For details about how RACF® matches
the distributed user's registry and user name with your specified
filter values, see How RACF matches filter values.