Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Controlling access of shared user IDs z/OS Security Server RACF System Programmer's Guide SA23-2287-00 |
|
The certificate mapping profile maps an issuer's distinguished user name to an Internet user ID. The certificate mapping profiles map many certificates to the same user ID. A certificate that fits the mapping profile receives full use of that user ID, meaning that the user has the same rights and privileges as the user ID being used. In some cases, this might not be the correct thing to do. For example,
Using the RACROUTE REQUEST=FASTAUTH preprocessing exits (ICHRFX01 and ICHRFX03), you can check the X500 name (ACEEX5PR) to determine which accesses and privileges the user should have. The X500 name helps to identify the user of a shared user ID in the cases where a security context (ACEE) was created from a certificate through certificate name filtering or hostid mapping. The X500 name is meaningful for auditing purposes only. To override the privileges normally granted to the shared user ID, you need to write a preprocessing exit.
|
Copyright IBM Corporation 1990, 2014
|