z/OS Security Server RACF System Programmer's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Controlling access of shared user IDs

z/OS Security Server RACF System Programmer's Guide
SA23-2287-00

The certificate mapping profile maps an issuer's distinguished user name to an Internet user ID. The certificate mapping profiles map many certificates to the same user ID. A certificate that fits the mapping profile receives full use of that user ID, meaning that the user has the same rights and privileges as the user ID being used.

In some cases, this might not be the correct thing to do. For example,
  • The shared user ID might need access to a resource that is not normally granted to the ID but is normally accessed by the user who is using the ID.
  • The shared user ID might have access to a resource that is not normally granted to the individual user who is using the shared ID, in which case the access should be denied.

Using the RACROUTE REQUEST=FASTAUTH preprocessing exits (ICHRFX01 and ICHRFX03), you can check the X500 name (ACEEX5PR) to determine which accesses and privileges the user should have. The X500 name helps to identify the user of a shared user ID in the cases where a security context (ACEE) was created from a certificate through certificate name filtering or hostid mapping. The X500 name is meaningful for auditing purposes only.

To override the privileges normally granted to the shared user ID, you need to write a preprocessing exit.

  1. The exit checks the contents of the X500 name and the user ID.
  2. The X500 name (ACEEX5PR) points to a control block containing the issuer's and the subject's distinguished name.
  3. The exit compares the contents and permits or denies privileges to resources based on the privileges of the specific user of the shared user ID.
Parent topic: Possible uses of the exits

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014