z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Example

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

The RACDCERT MAP command shown in Figure 1 creates a subject's and issuer's name filter based on the partial subject's distinguished name and the full issuer's name.
Figure 1. Sample RACDCERT MAP command for creating a subject's and issuer's name filter
RACDCERT ID(NYADMIN) MAP WITHLABEL('NY ADMIN') TRUST
   SDNFILTER('OU=Admin.OU=New York.OU=US.O=World Sales Corp')
   IDNFILTER('OU=VeriSign Class 1 Individual Subscriber.O=VeriSign, Inc.L=Internet')
SETROPTS RACLIST(DIGTNMAP) REFRESH

This filter contains the portion of the subject's distinguished name that identifies the user as an employee of the Administration department in the New York office of the US division of the World Sales Corporation, and the full issuer's distinguished name that identifies the issuer as VeriSign Class 1. Based on this filter, RACF® will associate the user ID NYADMIN to any user presenting a certificate issued by VeriSign Class 1 containing this significant portion of the subject's distinguished name, who does not have an individual certificate registered with RACF.

Therefore, if the users Timo and Hiro, whose certificate information is shown in Table 1, present certificates while all defined name filters are in effect, the following will result:
  1. Hiro will be associated with the user ID NYADMIN, based on the filter labeled 'NY ADMIN'.
  2. Timo will be associated with the user ID WEBUSER, based on the filter labeled 'INTERNET OTHERS'.
    Note: If either Hiro or Timo had individual certificates registered to RACF, they would have been assigned the user ID specified when the certificates were registered.
Parent topic: Subject's and issuer's name filter

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014