z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Steps for defining a filter for a full X.500 DN

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

Before you begin:
  • Verify the distributed user and registry names. (See Details about specifying user and registry names.)
  • Verify that the RACF® user ID mapped by this filter is already defined to RACF. Review its user attributes, groups, and access authorities.
Perform the following steps to define a distributed identity filter that specifies the distributed user's name using all RDNs of the user's X.500 distinguished name.
  1. Issue the RACMAP command with the MAP function.
    Example:
    RACMAP ID(RLCOOK) MAP 
  USERDIDFILTER(NAME('UID=BobC,CN=Bob Cook,OU=Accounting,O=BobsMart,C=US'))
  REGISTRY(NAME('ldaps://us.bobsmarturl.com')) 
  WITHLABEL('Accounting boss')

    ______________________________________________________________________

  2. Activate the IDIDMAP class and enable it for RACLIST processing.
    Example:
    SETROPTS CLASSACT(IDIDMAP) RACLIST(IDIDMAP)
    If the IDIDMAP class is already active and enabled for RACLIST processing, refresh the IDIDMAP class profiles.
    SETROPTS RACLIST(IDIDMAP) REFRESH

    ______________________________________________________________________

  3. Review the new distributed identity filter.
    Example:
    RACMAP ID(RLCOOK) LISTMAP
    Results:
    Mapping information for user RLCOOK:                           
 Label: Accounting boss                                       
 Distributed Identity User Name Filter:                       
   >UID=BobC,CN=Bob Cook,OU=Accounting,O=BobsMart,C=US<       
 Registry name:                                               
   >ldaps://us.bobsmarturl.com<

    ______________________________________________________________________

You have implemented a distributed identity filter that specifies the user name as a full X.500 distinguished name. This filter assigns the RACF user ID RLCOOK to only one distributed identity that matches all RDNs of the user name and matches the LDAP URL specified as the registry name.

If you want to map other users in the same organization who have lower levels of access authority, you might add additional filters. For examples, see Steps for defining a filter using selected RDNs.

Parent topic: Defining a filter for an X.500 user identity

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014