z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Steps for defining a filter using selected RDNs

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

Before you begin:
  • Verify the distributed user and registry names. (See Details about specifying user and registry names.)
  • Verify that the RACF® user IDs mapped by these filters are already defined to RACF. Review their user attributes, groups, and access authorities.
Perform the following steps to define a distributed identity filter that specifies selected RDNs of an X.500 distinguished name.
  1. Issue the RACMAP command with the MAP function.
    Example:
    RACMAP ID(ACCTUSER) MAP 
  USERDIDFILTER(NAME('OU=Accounting,O=BobsMart,C=US'))
  REGISTRY(NAME('ldaps://us.bobsmarturl.com')) 
  WITHLABEL('Accounting office workers')

    Note: The user name in this example is based on the DN from the example in Steps for defining a filter for a full X.500 DN, and omits the most specific RDNs for UID and CN.

    ______________________________________________________________________

  2. Activate the IDIDMAP class and enable it for RACLIST processing.
    Example:
    SETROPTS CLASSACT(IDIDMAP) RACLIST(IDIDMAP)
    If the IDIDMAP class is already active and enabled for RACLIST processing, refresh the IDIDMAP class profiles.
    SETROPTS RACLIST(IDIDMAP) REFRESH

    ______________________________________________________________________

  3. Review the new distributed identity filter.
    Example:
    RACMAP ID(ACCTUSER) LISTMAP
    Results:
    Mapping information for user ACCTUSER:                        
 Label: Accounting office workers                             
 Distributed Identity User Name Filter:                       
   >OU=Accounting,O=BobsMart,C=US<                            
 Registry name:                                               
   >ldaps://us.bobsmarturl.com<

    ______________________________________________________________________

You have implemented a distributed identity filter that specifies the user name as a string of selected RDNs of an X.500 distinguished name. This filter assigns the RACF user ID ACCTUSER to any distributed identity that matches the selected components specified in the user name and matches the LDAP URL specified as registry name.

If you want to map other users in the same organization who have lower levels of access authority, you might add additional filters.

For example, if all DNs in the us.bobsmarturl.com registry contain the O=BobsMart,C=US RDNs, you might map all users in the us.bobsmarturl.com registry by adding another filter as follows:
RACMAP ID(BOBSUSER)MAP 
  USERDIDFILTER(NAME('O=BobsMart,C=US'))
  REGISTRY(NAME('ldaps://us.bobsmarturl.com')) 
  WITHLABEL('All BobsMart employees')

If general Web users also access the system, you might also consider adding a default RACMAP filter. For information, see Adding a default RACMAP filter.

Parent topic: Defining a filter for an X.500 user identity

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014