Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Example z/OS Security Server RACF Security Administrator's Guide SA23-2289-00 |
|
Michael's Music Company has two Web-based applications: an online royalties application, and an online inventory application. The company has contracted VeriSign to issue certificates to its users, one certificate for each user. When one of the company's users connects to the royalties application, the user's certificate should be assigned the ROYALID user ID. When one of the company's users connects to the inventory application, the user's certificate should be assigned the INVID user ID. The RACDCERT MAP and RDEFINE commands shown in Figure 1 create a full issuer's name filter
that maps these two user IDs based on the application being accessed
by the user of the certificate. The RACDCERT command uses the MULTIID
option to specify additional criteria contained in the DIGTCRIT class
using the predefined variable &APPLID. The RDEFINE
commands create two profiles in the DIGTCRIT class that associate
each APPLID value with the user ID indicated by the APPLDATA value.
Figure 1. Sample RACDCERT
MAP and RDEFINE commands for mapping multiple user IDs
You can display mapping information for a MULTIID filter using
the RACDCERT LISTMAP command with the LABEL option. For example:
Figure 2 shows sample output based
on this RACDCERT LISTMAP command.
Figure 2. Sample output from the LISTMAP command for a MULTIID
filter
For details about using the RACDCERT MAP command with the MULTIID option, RACDCERT LISTMAP, and the RDEFINE command, see z/OS Security Server RACF Command Language Reference. If a user certificate is used for additional applications and should
be associated with a user ID for these applications, you can create
a generic DIGTCRIT profile named APPLID=* to cover
all other applications. For example, the addition of the following
DIGTCRIT profile to the MULTIID filter created in Figure 1 specifies that
the ALLAPPS user ID should be associated with all
certificates used to access all other applications.
Note: If the caller
of the initACEE callable service does not specify
the APPLID variable, only the APPLID=* profile in
the DIGTCRIT class will be used to determine the RACF® user ID.
|
Copyright IBM Corporation 1990, 2014
|