z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Details for processing an issuer's name filter with multiple criteria

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

For example, if a customer accesses the Jamal's Bank system using an unregistered user certificate, the following represents the sequence of processing that RACF®, specifically the initACEE callable service, will complete to process multiple criteria using a DIGTCRIT profile.
  1. The sequence shown in How RACF processes certificate name filters is followed, until the full issuer's name is used to check for a matching profile in the DIGTNMAP class, to determine if there is an applicable certificate name filter.
    Result: A DIGTNMAP profile is found to match:
    OU=Jamal's Bank General Subscriber.O=VeriSign, Inc.L=Internet
  2. The criteria definitions, SYSID=&SYSID.ENCRLVL=&ENCRLVL are found in the DIGTNMAP profile, and the supplied values are substituted for each variable: SYSID=SYSA and ENCRLVL=LOW.
    Result: A DIGTCRIT profile is found to match:
    SYSID=SYSA.ENCRLVL=*
  3. Processing by initACEE continues using the user ID GENERAL for the customer's certificate.
    Note: In this example, if the application calling the initACEE callable service does not pass the ENCRLVL variable, only the SYSID= value is used to determine the user ID. Therefore, the DIGTCRIT profile named SYSID=SYSA.ENCRLVL=* is found to match, and the user ID GENERAL is still used for the customer's certificate.
Parent topic: Using multiple criteria

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014