ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahq_5.4.0.1/rzahqeim.htm

114 lines
7.7 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="dc.language" scheme="rfc1766" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<meta name="dc.date" scheme="iso8601" content="2005-09-13" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow"/>
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<title>Enterprise Identity Mapping (EIM)</title>
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
<link rel="stylesheet" type="text/css" href="ic.css" />
</head>
<body>
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
<a name="rzahqeim"></a>
<h2 id="rzahqeim">Enterprise Identity Mapping (EIM)</h2>
<p><span class="bold">What is EIM?</span></p>
<p>Enterprise Identity Mapping (EIM) is a way to consolidate a user's various
UserIDs and passwords together under a single account. Using it, a user can
log on just once to a system, and then EIM will work together with other services
behind the scenes to authenticate the user to all of his accounts.</p>
<p>This is called a single sign-on environment. Authentication still takes
place whenever users attempt to access a new system; however, they will not
be prompted for passwords. EIM reduces the need for users to keep track of
and manage multiple user names and passwords to access other systems in the
network. Once a user is authenticated to the network, the user can access
services and applications across the enterprise without the need for multiple
passwords to these different systems.</p>
<p>The Information Center has an entire topic devoted to EIM. See <a href="../rzalv/rzalvmst.htm">Enterprise Identity Mapping</a>.</p>
<p>To learn the features of the different ways to enroll users to the Windows
environment, see <a href="rzahqencco.htm#rzahqencco">Types of user configurations</a>.</p>
<p><span class="bold">The EIMASSOC user profile attribute</span></p>
<p>EIMASSOC is a user profile attribute specifically designed to aid in configuring
EIM. At the i5/OS&trade; command prompt type <tt>CHGUSRPRF</tt> and the
user profile name and then press F4 to prompt. Then page down to the very
bottom and you will see a section labled <tt>EIM association</tt>. Here is a summary of what the fields mean:</p>
<ul>
<li><span class="bold">Element 1: EIM identifier</span> This is the UserID that
EIM uses to identify you. Think of it as your Master ID under which all your
other user IDs will be stored. If you specify *USRPRF the system will use
your i5/OS user profile name as the EIM identifier. Alternatively, you can
specify any valid character-string. If you enter *DLT in this field and press
enter, you will be presented with a list of changed options for deleting EIM
associations.</li>
<li><span class="bold">Element 2: Association type</span> This value specifies
how the i5/OS user profile that you are editing will be associated with the EIM
identifier. With Windows environment on iSeries&trade;, the values of *TARGET, *TGTSRC, or
*ALL will allow auto-creation or deletion of i5/OS target and Windows source associations.</li>
<li><span class="bold">Element 3: Association action</span> The special values
are:
<ul>
<li>*REPLACE The Windows source associations will be removed from all EIM
identifiers that have an association for this user profile. For the enrolled
user, a new Windows source association will be added to the specified EIM
identifier.</li>
<li>*ADD For the enrolled user, a Windows source association will be added.</li>
<li>*REMOVE The Windows source association will be removed.</li></ul></li>
<li><span class="bold">Element 4: Create EIM identifier</span> This value specifies
whether the EIM identifier should be created if it does not already exist.
The special values allowed are, *NOCRTEIMID, an EIM identifier will not be
created, or, *CRTEIMID, an EIM identifier will be created if it does not exist.</li></ul>
<p><span class="bold">Automatic and Manual EIM associations</span></p>
<p>In a typical EIM configured environment, which uses single sign-on, i5/OS target associations and Windows source associations are typically defined.
With integrated Windows server user administration, the system administrator
may decide to define enrolled Windows users to have EIM associations automatically
defined. For instance, if an enrolled Windows user has EIMASSOC(*USRPRF *TARGET
*ADD *CRTEIMID) specified, i5/OS will automatically create an i5/OS target and
a Windows source association. The EIMASSOC information is not stored in the
user profile. Also, this information is not saved or restored with the user
profile. And, if the i5/OS system is not configured for EIM, then no association
processing is done and the EIMASSOC information is ignored.</p>
<p>If i5/OS is configured to use EIM and EIMASSOC processing is defined for
the enrolled user, integrated Windows server user administration will auto
create or delete Windows source associations for the user in the Windows EIM
registry. For a user enrolled locally to the Windows environment, the Windows
EIM registry name is the fully qualified, local Domain Name System (DNS) name.
The Windows EIM registry type is defined to be Windows 2000. For users enrolled
to a Windows domain, the Windows registry name is the fully qualified domain
DNS name and the Windows registry type is defined to be Kerberos - case ignore.
If EIMASSOC is defined for a user, and i5/OS is configured to use EIM, and the Windows
EIM registry doesn't exist, integrated Windows server user administration
will create the Windows EIM registry.</p>
<p><span class="bold">Use EIM associations to allow different Windows user profile
names</span></p>
<p>EIM provides a mechanism to associate user profiles in a directory system.
EIM allows for an EIM identifier to have an i5/OS user profile target association defined
and a Windows user profile source association to be defined. It is possible
for a user administrator to define a Windows source association using a different
Windows user profile name than the i5/OS target association user profile name.
Integrated Windows user administration will use the defined EIM Windows source
association Windows user profile, if it exists, for Windows user enrollment.
The i5/OS target association needs to be defined. Using the EIM identifier,
the Windows source association needs to be defined by the administrator. The
Windows source association needs to be defined for the same EIM identifier
in the correct Windows EIM registry name and type. For a user enrolled locally
to Windows, the Windows EIM registry name is the fully qualified, local domain
name server (DNS) name. The Windows EIM registry type is defined to be EIM_REGTYPE_WIN2K.
For users enrolled to a Windows domain, the Windows registry name is the fully
qualified domain DNS name and the Windows registry type is defined to be EIM_REGTYPE_KERBEROS_IG.</p>
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
</body>
</html>