A distributed identity filter is a mapping association between a RACF® user ID and one or more distributed user identities, as they are known to Web-based application servers and defined in distributed user registries.

A distributed identity filter consists of one or more components of a distributed user's name and the name of the registry where the user is defined. When you define the filter using the RACMAP command, you associate (or map) a distributed user identity with a RACF user ID.

When users attempt to access a z/OS® subsystem using a distributed identity, RACF receives distributed user information from authorized applications and uses distributed identity filters to determine the RACF user ID. RACF also uses filter information to support SMF logging of both the RACF user ID and the original identity of the distributed user.

Note: Distributed identity filters are unrelated to certificate name filters. (See Certificate name filtering). An installation might choose to implement either distributed identity filters or certificate name filters, both types of filters, or neither.