Interpreting the X.500 directory information tree

When you use certificate name filtering, RACF® provides the ability to allow several users to share the same user ID on your system based on the subject's distinguished name and the issuer's distinguished name as contained in X.509 certificates. The subject's distinguished names and issuer's distinguished names for three sample certificates are listed in Table 1 and are shown in the address form used by RACF:

Table 1. Subject's and issuer's distinguished names
Subject's distinguished name	Issuer's distinguished name
`CN=Agneta Berglund.OU=Sales.OU=New York.OU=US.O=World Sales Corp`	`OU=VeriSign Class 1 Individual Subscriber.O=VeriSign, Inc.L=Internet`
`CN=Hiro Ogura.OU=Admin.OU=New York.OU=US.O=World Sales Corp`	`OU=VeriSign Class 1 Individual Subscriber.O=VeriSign, Inc.L=Internet`
`CN=Timo Kokkonen.OU=Sales.OU=Los Angeles.OU=US.O=World Sales Corp`	`OU=VeriSign Class 1 Individual Subscriber.O=VeriSign, Inc.L=Internet`

The distinguished names contained in the certificates shown in Table 1 are represented in the X.500 directory information tree shown in Figure 1. For a list of the components of the subject's X.509 distinguished name, see the syntax of the RACDCERT command in z/OS Security Server RACF Command Language Reference.

Figure 1. Example of an X.500 directory information tree

                                        |
                                       / \
                                      /   \
                                     /     \
                                    /       \
                      O=World Sales Corp    L=Internet
                                  /           \
                                 /            O=VeriSign, Inc.
                                /               \
                              OU=US             OU=VeriSign Class 1
                             /     \             Individual Subscriber
                            /       \
                           /         \
                OU=New York         OU=Los Angeles
                /         \                \
               /           \                \
           OU=Sales      OU=Admin        OU=Sales
             /               \                \
            /                 \                \
CN=Agneta Berglund        CN=Hiro Ogura      CN=Timo Kokkonen

Now, let's look at the left branch of the tree in Figure 1 as representing a hierarchical organization, with each level of the tree, or node, representing a different level within an organization. For example, Agneta works in the Sales department in New York for the US division of the World Sales Corporation. If viewed as a hierarchy of user groups, each level of the tree might represent increased access authority, with each group consisting of the groups below it.

For example, as an employee of World Sales, Agneta might have access to the internal phone numbers of all World Sales employees. As a member of the US division, she might also have access to the US division internal Web site, in addition to the phone numbers of all employees. Being in New York might allow her to run sales reports for the New York office, as well as to access the Web site and employee phone numbers. Being in the Sales department might allow her to place customer orders, in addition to all other access authorities.

You can associate a user ID with each node in a directory information tree using certificate name filtering. Each user ID can represent a number of users, each of whom has one or more digital certificates. Therefore, you can administer several certificates and the access authorities for several users, through a single user ID. For each node that you associate with a user ID, you create a certificate name filter that contains partial or full distinguished names, depending on where the node falls in the hierarchy.