Before you begin:
- Verify the distributed user and registry names. (See Details about specifying user and registry names.)
- Verify that the RACF® user
IDs mapped by these filters are already defined to RACF. Review their user attributes, groups,
and access authorities.
Perform the following steps to define a
distributed identity filter that
specifies
selected RDNs of an X.500 distinguished name.
- Issue the RACMAP command with the MAP function.
Example:
RACMAP ID(ACCTUSER) MAP
USERDIDFILTER(NAME('OU=Accounting,O=BobsMart,C=US'))
REGISTRY(NAME('ldaps://us.bobsmarturl.com'))
WITHLABEL('Accounting office workers')
Note: The
user name in this example is based on the DN from the example in Steps for defining a filter for a full X.500 DN, and omits the most specific RDNs for UID and CN.
______________________________________________________________________
- Activate the IDIDMAP class and enable it for RACLIST processing.
Example:
SETROPTS CLASSACT(IDIDMAP) RACLIST(IDIDMAP)
If
the IDIDMAP class is already active and enabled for RACLIST processing,
refresh the IDIDMAP class profiles.
SETROPTS RACLIST(IDIDMAP) REFRESH
______________________________________________________________________
- Review the new distributed identity filter.
Example:
RACMAP ID(ACCTUSER) LISTMAP
Results:
Mapping information for user ACCTUSER:
Label: Accounting office workers
Distributed Identity User Name Filter:
>OU=Accounting,O=BobsMart,C=US<
Registry name:
>ldaps://us.bobsmarturl.com<
______________________________________________________________________
You have implemented a distributed identity filter that
specifies the user name as a string of selected RDNs of an X.500 distinguished
name. This filter assigns the RACF user
ID ACCTUSER to any distributed identity that matches
the selected components specified in the user name and matches the
LDAP URL specified as registry name.
If you want to map other users in the same organization who have
lower levels of access authority, you might add additional filters.
For example, if all DNs in the
us.bobsmarturl.com registry
contain the
O=BobsMart,C=US RDNs, you might map all
users in the
us.bobsmarturl.com registry by adding
another filter as follows:
RACMAP ID(BOBSUSER)MAP
USERDIDFILTER(NAME('O=BobsMart,C=US'))
REGISTRY(NAME('ldaps://us.bobsmarturl.com'))
WITHLABEL('All BobsMart employees')
If general Web users also access the system, you might also consider
adding a default RACMAP filter. For information, see Adding a default RACMAP filter.