With certificate name filtering, distinct client certificates do not have to be defined to RACF for every individual user.
RACDCERT ID(DEPT3USR) MAP SDNFILTER(OU=DEPT1.OU=DEPT2.O=IBM.L=LOC.SP=NY.C=US)
This
sample filter rule would associate user ID DEPT3USR with all certificates
when the distinguished name of the certificate owner contains the
organizational unit DEPT1 and DEPT2, the organization IBM®,
the locality LOC, the state/province NY and the country US.