ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzakh_5.4.0.1/rzakhssoscenario_createfegistrypolicy.htm

101 lines
6.9 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Create default registry policy associations" />
<meta name="DC.Relation" scheme="URI" content="rzakhscen2.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhssoscenario_createidentifierassociations2.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhssoscenario_enableregistrieslookup.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzakhssoscenario_createfegistrypolicy" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Create default registry policy associations</title>
</head>
<body id="rzakhssoscenario_createfegistrypolicy"><a name="rzakhssoscenario_createfegistrypolicy"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Create default registry policy associations</h1>
<div><div class="section"><p>You want to have all your Microsoft<sup>®</sup> Active Directory users on
the Windows<sup>®</sup> 2000
server map to the user profile, SYSUSERA, on iSeries™ A and to the user profile, SYSUSERB,
on iSeries B. </p>
<p>Fortunately,
you can use policy associations to create mappings directly between a group
of users and a single target user identity. In this case, you can create a
default registry policy association the maps all the user identities (for
which no identifier associations exist) in the MYCO.COM Kerberos registry
to a single i5/OS™ user
profile on iSeriesA.</p>
<div class="p">You need two policy associations to accomplish
this goal. Each policy association uses the MYCO.COM user registry definition
as the source of the association. However, each policy association maps user
identities in this registry to different target user identities, depending
on which iSeries system
the Kerberos user accesses:<ul><li> One policy association maps the Kerberos principals in the MYCO.COM user
registry to a target user of SYSUSERA in the target registry of ISERIESA.MYCO.COM. </li>
<li>The other policy association maps the Kerberos principals in the MYCO.COM
user registry to a target user of SYSUSERB in the target registry of ISERIESB.MYCO.COM.</li>
</ul>
</div>
<p>Use the information from your planning works sheets to create
two default registry policy associations.</p>
<div class="note"><span class="notetitle">Note:</span> Before you can use policy
associations, you must first enable the domain to use policy associations
for mapping lookup operations. You can do this as part of the process for
creating your policy associations, as follows:</div>
</div>
<ol><li class="stepexpand"><span>In iSeries Navigator,
expand <span class="menucascade"><span class="uicontrol">iSeries A</span> &gt; <span class="uicontrol">Network</span> &gt; <span class="uicontrol">Enterprise Identity Mapping</span> &gt; <span class="uicontrol">Domain Management</span></span>.</span></li>
<li class="stepexpand"><span>Right-click <span class="uicontrol">MyCoEimDomain</span>, and select <span class="uicontrol">Mapping
policy...</span>.</span></li>
<li class="stepexpand"><span>On the <span class="uicontrol">General</span> page, select the <span class="uicontrol">Enable
mapping lookups using policy associations for domain MyCoEimDomain</span>. </span> <p>Follow these steps to create the default registry policy association
for the users to map to the SYSUSERA user profile on iSeries A:</p>
</li>
<li class="stepexpand"><span>On the <span class="uicontrol">Registry</span> page, click <span class="uicontrol">Add</span>.</span></li>
<li class="stepexpand"><span>In the <span class="uicontrol">Add Default Registry Policy Association</span> dialog
box, specify or <span class="uicontrol">Browse...</span> to select the following information,
and click <span class="uicontrol">OK</span>:</span><ol type="a"><li><span><span class="uicontrol">Source registry</span>: <tt>MYCO.COM</tt></span></li>
<li><span><span class="uicontrol">Target registry</span>: <tt>ISERIESA.MYCO.COM</tt></span></li>
<li><span><span class="uicontrol">Target user</span>: <tt>SYSUSERB</tt></span></li>
</ol>
</li>
<li class="stepexpand"><span>Click <span class="uicontrol">OK</span> to close the <span class="uicontrol">Mapping
Policy</span> dialog box.</span> <p>Follow these steps to create
the default registry policy association for the users to map to the SYSUSERB
user profile on iSeries B:</p>
</li>
<li class="stepexpand"><span>On the <span class="uicontrol">Registry</span> page, click <span class="uicontrol">Add</span>.</span></li>
<li class="stepexpand"><span>In the <span class="uicontrol">Add Default Registry Policy Association</span> dialog
box, specify or <span class="uicontrol">Browse...</span> to select the following information,
and click <span class="uicontrol">OK</span>:</span><ol type="a"><li><span><span class="uicontrol">Source registry</span>: <tt>MYCO.COM</tt></span></li>
<li><span><span class="uicontrol">Target registry</span>: <tt>ISERIESB.MYCO.COM</tt></span></li>
<li><span><span class="uicontrol">Target user</span>: <tt>SYSUSERB</tt></span></li>
</ol>
</li>
<li class="stepexpand"><span>Click <span class="uicontrol">OK</span> to close the <span class="uicontrol">Mapping
Policy</span> dialog box.</span></li>
</ol>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzakhscen2.htm" title="Use the following scenario to become familiar with the prerequisites and objectives for enabling single signon for i5/OS.">Scenario: Enable single signon for i5/OS</a></div>
<div class="previouslink"><strong>Previous topic:</strong> <a href="rzakhssoscenario_createidentifierassociations2.htm">Create identifier associations for Sharon Jones</a></div>
<div class="nextlink"><strong>Next topic:</strong> <a href="rzakhssoscenario_enableregistrieslookup.htm">Enable registries to participate in lookup operations and to use policy associations</a></div>
</div>
</div>
</body>
</html>