Show TOC

Rule-Based Certificate MappingLocate this document in the navigation structure


Rule-based certificate mapping (transaction CERTRULE) enables the mapping of users from parts of the subject or the subject alternative name of an X.509 certificate for a given issuer to the user ID or alias of a user master record. With a few rules, you can enable logon with X.509 certificates for all your users. The tool also enables you to load an X.509 certificate and check if a rule applies to the certificate and if the certificate maps to a user. For individual users that do not map to the rules you create, you can create exceptions.

Once enabled, rule-based mapping replaces manual mapping in the table USREXTID. If you currently use table USREXTID for certificate mapping, use transaction CERTRULE_MIG to create a set of rules based on your current entries.

  • You have the required authorizations. Rule-based certificate mapping requires the following authorization objects:

    • CC control center: System administration ( S_RZL_ADM)

      • Activity 03 grants display authorizations.

      • Activity 01 grants change authorizations.

    • User Master Maintenance: User Groups ( S_USER_GRP)

      • Activity 03 grants display authorizations.

      • Activity 02 grants change authorizations.

      • Class: Enter the names of user groups for which the administrator can maintain explicit mappings.

  • You have enabled the login/ certificate_ mapping_ rulebased profile parameter.


    Before enabling this profile parameter, you must have migrated any entries in the USREXTID table to a mapping rule or explicit mapping.