Before you begin:
- Verify the distributed user and registry names. (See Details about specifying user and registry names.)
- Verify that the RACF® user
ID mapped by this filter is already defined to RACF. Review its user attributes, groups, and
access authorities.
Perform the following steps to define a
distributed identity filter that
specifies the distributed user's name using
all RDNs of the
user's X.500 distinguished name.
- Issue the RACMAP command with the MAP function.
Example:
RACMAP ID(RLCOOK) MAP
USERDIDFILTER(NAME('UID=BobC,CN=Bob Cook,OU=Accounting,O=BobsMart,C=US'))
REGISTRY(NAME('ldaps://us.bobsmarturl.com'))
WITHLABEL('Accounting boss')
______________________________________________________________________
- Activate the IDIDMAP class and enable it for RACLIST processing.
Example:
SETROPTS CLASSACT(IDIDMAP) RACLIST(IDIDMAP)
If
the IDIDMAP class is already active and enabled for RACLIST processing,
refresh the IDIDMAP class profiles.
SETROPTS RACLIST(IDIDMAP) REFRESH
______________________________________________________________________
- Review the new distributed identity filter.
Example:
RACMAP ID(RLCOOK) LISTMAP
Results:
Mapping information for user RLCOOK:
Label: Accounting boss
Distributed Identity User Name Filter:
>UID=BobC,CN=Bob Cook,OU=Accounting,O=BobsMart,C=US<
Registry name:
>ldaps://us.bobsmarturl.com<
______________________________________________________________________
You have implemented a distributed identity filter that
specifies the user name as a full X.500 distinguished name. This filter
assigns the RACF user ID RLCOOK to
only one distributed identity that matches all RDNs of the
user name and matches the LDAP URL specified as the registry name.
If you want to map other users in the same organization who have
lower levels of access authority, you might add additional filters.
For examples, see Steps for defining a filter using selected RDNs.