CRITERIA Keyword—Additional Filter Criteria

Keywords › CRITERIA Keyword—Additional Filter Criteria

CRITERIA Keyword—Additional Filter Criteria

Valid on z/OS.

Use the CRITERIA keyword to define additional criteria that act as a filter to assign users to a MULTIID. CRITERIA is only used with the MULTIID special ACID on a TSS ADD CERTMAP command and indicates that variable data, in addition to distinguished name in the user's digital certificate, is used to select the ACID assigned to the user if the filter is matched.

The criteria data must be defined in the CRITMAP record to identify the ACID associated with a certificate. The CRITERIA operands act as a template and CA Top Secret automatically substitutes the actual values. Once the substitution is made, the fully expanded criteria template is used as a resource name to find a matching profile defined in the CRITMAP SDT records. One or more variable names may be specified for the CRITERIA value.

The special ACID name of MULTIID along with the CRITERIA name tells CA Top Secret that if the subject and/or the issuer name information matches, then search the CRITMAP records for a match on application name before assigning an ACID to the user.

This keyword has the following format:

TSS ADDTO(MULTIID)CERTMAP(recid)
                  SDNFILTR('subject‑dist‑name‑filter')
                  IDNFILTR('issuer‑dist‑name‑filter')
                  CRITERIA(CNFAPP=&CNFAPP.SYSID=&SYSID.variable‑name1=&name1
                           .variable‑name2=&name2...)

The application id (CNFAPP) and the system‑identifier (SYSID) are defined by CA Top Secret. When a user presents a certificate to the system for identification, the identity of the application, as well as the system the user is trying to access, becomes part of the criteria. The application passes its identity to CA Top Secret, and CA Top Secret determines the system identifier. The system identifier is the four‑character value specified for the SID parameter of the SMFPRMxx member of the SYS1.PARMLIB. This value is substituted for &CNFAPP and &SYSID in the criteria.

CNFAPP

Application identifier. Defined by CA Top Secret.

SYSID

System identifier. Defined by CA Top Secret.

variable name

CA Top Secret users can define their own variables as follows:

CRITERIA(variable name1=&name1.variable name2=&name2...)

The variable name is specified and the variable for which a value is substituted begins with an ampersand (&). Each criteria is separated by a period.

This keyword is used with:

The commands ADDTO, LIST, REMOVE, and REPLACE
The ACID types User, DCA, VCA, ZCA, LSCA, and SCA
ACID(MAINTAIN) authority

Examples: CRITERIA keyword

In this example, the user whose subject's distinguished name matches the SDNFILTR is assigned NYDEPT2B or NYDEPT2R, depending upon what application was used to access the system. If access was gained through the BUSINESS application, NYDEPT2B is assigned to the user. If access was gained through the RETAIL application, NYDEPT2R is assigned.

TSS ADDTO(MULTIID) CERTMAP(NYMAP2)
                   LABLCMAP('NY Dept 2 Map')
                   TRUST
                   SDNFILTR('OU=Dept2.OU=NY.OU=Sales.O=ABC Co')
                   CRITERIA(CNFAPP=&CNFAPP)

TSS ADDTO(NYDEPT2B) CRITMAP(NYCRIT2B)
                    CNFAPP(BUSINESS)

TSS ADDTO(NYDEPT2R) CRITMAP(NYCRIT2R)
                    CNFAPP(RETAIL)