Rule-Based Certificate Mapping
Rule-based certificate mapping (transaction CERTRULE) enables the mapping of users from parts of the subject or the subject alternative name of an X.509 certificate for a given issuer to the user ID or alias of a user master record. With a few rules, you can enable logon with X.509 certificates for all your users. The tool also enables you to load an X.509 certificate and check if a rule applies to the certificate and if the certificate maps to a user. For individual users that do not map to the rules you create, you can create exceptions.
Once enabled, rule-based mapping replaces manual mapping in the table USREXTID. If you currently use table USREXTID for certificate mapping, use transaction CERTRULE_MIG to create a set of rules based on your current entries.
-
You have the required authorizations. Rule-based certificate mapping requires the following authorization objects:
-
CC control center: System administration ( S_RZL_ADM)
-
Activity 03 grants display authorizations.
-
Activity 01 grants change authorizations.
-
-
User Master Maintenance: User Groups ( S_USER_GRP)
-
Activity 03 grants display authorizations.
-
Activity 02 grants change authorizations.
-
Class: Enter the names of user groups for which the administrator can maintain explicit mappings.
-
-
-
You have enabled the login/ certificate_ mapping_ rulebased profile parameter.
CautionBefore enabling this profile parameter, you must have migrated any entries in the USREXTID table to a mapping rule or explicit mapping.