z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Examples

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

The RACDCERT MAP commands shown in Figure 1 create two subject's name filters based on partial subject's distinguished names.
Figure 1. Sample RACDCERT MAP commands for creating subject's name filters
RACDCERT ID(NYSALES) MAP WITHLABEL('NY SALES REPS') TRUST 
   SDNFILTER('OU=Sales.OU=New York.OU=US.O=World Sales Corp')
RACDCERT ID(NYUSER)  MAP WITHLABEL('NY OTHERS') TRUST 
   SDNFILTER('OU=New York.OU=US.O=World Sales Corp')
SETROPTS RACLIST(DIGTNMAP) REFRESH

The filter labeled 'NY SALES REPS' contains the portion of the subject's distinguished name that identifies the user as an employee of the Sales department in the New York office of the US division of the World Sales Corporation. Based on this filter, RACF® will associate the user ID NYSALES to any user presenting a certificate containing this significant portion of the subject's distinguished name, who does not have an individual certificate registered with RACF.

The filter labeled 'NY OTHERS' contains the portion of the subject's distinguished name that identifies the user as an employee in the New York office of the US division of the World Sales Corporation. Based on this filter, RACF will associate the user ID NYUSER to any user presenting a certificate containing this significant portion of the subject's distinguished name, who does not have an individual certificate registered with RACF.

Users that present certificates that contain subject's distinguished names that match both filters will be associated with the user ID of the most specific filter. In this case, the most specific filter is the filter labeled 'NY SALES REPS'. For example, if the users Agneta and Hiro, whose certificate information is shown in Table 1, present certificates while these two subject's name filters are in effect, the following will result:
  1. Agneta will be associated with the user ID NYSALES, based on the filter labeled 'NY SALES REPS'.
  2. Hiro will be associated with the user ID NYUSER, based on the filter labeled 'NY OTHERS'.
    Note: If either Agneta or Hiro had individual certificates registered to RACF, they would have been assigned the user ID specified when the certificates were registered.
Parent topic: Subject's name filter

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014