Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Interpreting the X.500 directory information tree z/OS Security Server RACF Security Administrator's Guide SA23-2289-00 |
|||||||||
When you use certificate name filtering, RACF® provides the ability to allow several users
to share the same user ID on your system based on the subject's
distinguished name and the issuer's distinguished name as
contained in X.509 certificates. The subject's distinguished names
and issuer's distinguished names for three sample certificates are
listed in Table 1 and are shown in the
address form used by RACF:
The distinguished names contained in the certificates shown in Table 1 are represented in the X.500 directory
information tree shown in Figure 1. For a
list of the components of the subject's X.509 distinguished name,
see the syntax of the RACDCERT command in z/OS Security Server RACF Command Language Reference.
Figure 1. Example of an X.500
directory information tree
Now, let's look at the left branch of the tree in Figure 1 as representing a hierarchical organization, with each level of the tree, or node, representing a different level within an organization. For example, Agneta works in the Sales department in New York for the US division of the World Sales Corporation. If viewed as a hierarchy of user groups, each level of the tree might represent increased access authority, with each group consisting of the groups below it. For example, as an employee of World Sales, Agneta might have access to the internal phone numbers of all World Sales employees. As a member of the US division, she might also have access to the US division internal Web site, in addition to the phone numbers of all employees. Being in New York might allow her to run sales reports for the New York office, as well as to access the Web site and employee phone numbers. Being in the Sales department might allow her to place customer orders, in addition to all other access authorities. You can associate a user ID with each node in a directory information tree using certificate name filtering. Each user ID can represent a number of users, each of whom has one or more digital certificates. Therefore, you can administer several certificates and the access authorities for several users, through a single user ID. For each node that you associate with a user ID, you create a certificate name filter that contains partial or full distinguished names, depending on where the node falls in the hierarchy. |
Copyright IBM Corporation 1990, 2014
|