ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamz_5.4.0.1/rzamzidentitymapping.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Identity mapping" />
<meta name="abstract" content="Use this information to learn how the identity mapping process works within the single signon environment." />
<meta name="description" content="Use this information to learn how the identity mapping process works within the single signon environment." />
<meta name="DC.Relation" scheme="URI" content="rzamzconcepts.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzalv/rzalveservereimid.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzalv/rzalveserverregistry.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzalv/rzalveserverassoc.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzamzidentitymapping" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Identity mapping</title>
</head>
<body id="rzamzidentitymapping"><a name="rzamzidentitymapping"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Identity mapping</h1>
<div><p>Use this information to learn how the identity mapping process
works within the single signon environment.</p>
<p>Identity mapping is the process of using defined relationships between
user identities in an enterprise such that applications and operating systems
can map from one user identity to another, related user identity. The ability
to map between identities is essential to single signon enablement, as it
allows you to separate the process of authentication from that of authorization.
Identity mapping allows a user to log on to a system and be authenticated
based on the credentials of one user identity and then be able to access a
subsequent system or resource without having to supply new credentials. Instead,
the authenticated identity is mapped to the appropriate identity for the requested
system or resource. Not only does this make life easier for the user, who
need not supply a second credential for logging on to the second system, but
the authorizations he has for the second system are handled by the appropriate
identity.</p>
<p>To implement single signon, you need to create certain EIM data within
the <a href="../rzalv/rzalveserverdomain.htm">EIM
domain</a> to define the relationships needed to appropriately map identities
within your single signon environment. Doing so ensures that EIM can use that
data to perform <a href="../rzalv/rzalveservereimmaplookup.htm">mapping lookup operations</a> for single signon. You use
EIM to create associations to define the relationships between user identities
in your enterprise. You can create both identifier associations and policy
associations to define these relationships depending on how you want identity
mapping to work.</p>
<div class="section"><h4 class="sectiontitle">Identifier associations</h4><div class="p">Identifier associations
allow you to define a one-to-one relationship between user identities through
an EIM identifier defined for an individual. Identifier associations allow
you to specifically control identity mapping for user identities and are especially
useful when individuals have user identities with special authorities and
other privileges. These associations dictate how the user identities are mapped
from one to another. In a typical identity mapping situation, you create source
associations for authenticating user identities and target associations to
map the authenticating user identity to the appropriate user identities for
authorized access to other systems and resources. For example, you might typically
create the following identifier associations between an EIM identifier and
corresponding user identities for a user: <ul><li>A source association for the user's Kerberos principal, which is the identity
with which the user logs into, and is authenticated to, the network.</li>
<li>Target associations for each user identity in the various user registries
that the user accesses, such as <span class="keyword">Windows<sup>®</sup> 2000</span> user
profiles.</li>
</ul>
 </div>
<p>The following example illustrates how the identity mapping process
works for identifier associations. The security administrator at Myco, Inc
creates an EIM identifier (John Day) for an employee. This EIM identifier
uniquely identifies John Day in the enterprise. The administrator then creates
identifier associations between the John Day identifier and two user identities
that he routinely uses in the enterprise. These associations define how the
user identities are mapped. The administrator creates a source association
for the Windows identity, which is a Kerberos principal,
 and a target association for an <span class="keyword">Windows 2000</span> user
profile. These associations enable his Windows identity to be mapped to his <span class="keyword">Windows 2000</span> user profile.</p>
<p>John Day
uses the appropriate user name and password to log on to his <span class="keyword">Windows 2000</span> workstation
each morning. Once logged on, he starts <span class="keyword">iSeries™ Access for Windows</span> to
use <span class="keyword">Windows 2000</span> to access the <span class="keyword">Windows 2000</span> system. Because single signon
is enabled, the identity mapping process uses his authenticated Windows identity
to find the associated <span class="keyword">Windows 2000</span> user
profile and transparently authenticates and authorizes him to<span class="keyword">Windows 2000</span>.</p>
</div>
<div class="section"><h4 class="sectiontitle">Policy associations</h4><p>Policy associations allow you
to define a many-to-one relationship between a group of user identities in
one or more user registries and a specific individual target user identity
in another user registry. Typically, you use policy associations to map from
a group of users who require the same level of  authority for an application
to a single user identity with the appropriate authority.</p>
<p>The following
example illustrates how identity mapping works when you define policy associations.
A number of workers in the Order Receiving Department of Myco, Inc. all need
the same type of authorization to access a Web-based application that runs
on <span class="keyword">Windows 2000</span> on the server.
These users currently have user identities for this purpose in a single user
registry named Order_app. The administrator creates a default registry policy
association to map all the users in the Order_app user registry to a single <span class="keyword">Windows 2000</span> user profile. This <span class="keyword">Windows 2000</span> user profile, SYSUSER, provides
the minimum authority needed for this group of users. Performing this single
configuration step allows the administrator to ensure that all users of the
Web-based application have the access they need with the proper level of authorization
that they need. However, the administrator also benefits because it eliminates
the need to create and maintain individual <span class="keyword">Windows 2000</span> user
profiles for each user.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamzconcepts.htm" title="Use this information to learn about the underlying concepts for single signon for a better understanding of how you can plan to use single signon in your enterprise.">Concepts</a></div>
</div>
<div class="relinfo"><strong>Related information</strong><br />
<div><a href="../rzalv/rzalveservereimid.htm">EIM identifiers</a></div>
<div><a href="../rzalv/rzalveserverregistry.htm">EIM registry definitions</a></div>
<div><a href="../rzalv/rzalveserverassoc.htm">EIM associations</a></div>
</div>
</div>
</body>
</html>
Add readme and dist folders 2024-04-02 14:02:31 +00:00			`<?xml version="1.0" encoding="UTF-8"?>`
			`<!DOCTYPE html`
			`PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">`
			`<html lang="en-us" xml:lang="en-us">`
			`<head>`
			`<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />`
			`<meta name="security" content="public" />`
			`<meta name="Robots" content="index,follow" />`
			`<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />`
			`<meta name="DC.Type" content="concept" />`
			`<meta name="DC.Title" content="Identity mapping" />`
			`<meta name="abstract" content="Use this information to learn how the identity mapping process works within the single signon environment." />`
			`<meta name="description" content="Use this information to learn how the identity mapping process works within the single signon environment." />`
			`<meta name="DC.Relation" scheme="URI" content="rzamzconcepts.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="../rzalv/rzalveservereimid.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="../rzalv/rzalveserverregistry.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="../rzalv/rzalveserverassoc.htm" />`
			`<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />`
			`<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />`
			`<meta name="DC.Format" content="XHTML" />`
			`<meta name="DC.Identifier" content="rzamzidentitymapping" />`
			`<meta name="DC.Language" content="en-us" />`
			`<!-- All rights reserved. Licensed Materials Property of IBM -->`
			`<!-- US Government Users Restricted Rights -->`
			`<!-- Use, duplication or disclosure restricted by -->`
			`<!-- GSA ADP Schedule Contract with IBM Corp. -->`
			`<link rel="stylesheet" type="text/css" href="./ibmdita.css" />`
			`<link rel="stylesheet" type="text/css" href="./ic.css" />`
			`<title>Identity mapping</title>`
			`</head>`
			`<body id="rzamzidentitymapping"><a name="rzamzidentitymapping"><!-- --></a>`
			`<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>`
			`<h1 class="topictitle1">Identity mapping</h1>`
			`<div><p>Use this information to learn how the identity mapping process`
			`works within the single signon environment.</p>`
			`<p>Identity mapping is the process of using defined relationships between`
			`user identities in an enterprise such that applications and operating systems`
			`can map from one user identity to another, related user identity. The ability`
			`to map between identities is essential to single signon enablement, as it`
			`allows you to separate the process of authentication from that of authorization.`
			`Identity mapping allows a user to log on to a system and be authenticated`
			`based on the credentials of one user identity and then be able to access a`
			`subsequent system or resource without having to supply new credentials. Instead,`
			`the authenticated identity is mapped to the appropriate identity for the requested`
			`system or resource. Not only does this make life easier for the user, who`
			`need not supply a second credential for logging on to the second system, but`
			`the authorizations he has for the second system are handled by the appropriate`
			`identity.</p>`
			`<p>To implement single signon, you need to create certain EIM data within`
			`the <a href="../rzalv/rzalveserverdomain.htm">EIM`
			`domain</a> to define the relationships needed to appropriately map identities`
			`within your single signon environment. Doing so ensures that EIM can use that`
			`data to perform <a href="../rzalv/rzalveservereimmaplookup.htm">mapping lookup operations</a> for single signon. You use`
			`EIM to create associations to define the relationships between user identities`
			`in your enterprise. You can create both identifier associations and policy`
			`associations to define these relationships depending on how you want identity`
			`mapping to work.</p>`
			`<div class="section"><h4 class="sectiontitle">Identifier associations</h4><div class="p">Identifier associations`
			`allow you to define a one-to-one relationship between user identities through`
			`an EIM identifier defined for an individual. Identifier associations allow`
			`you to specifically control identity mapping for user identities and are especially`
			`useful when individuals have user identities with special authorities and`
			`other privileges. These associations dictate how the user identities are mapped`
			`from one to another. In a typical identity mapping situation, you create source`
			`associations for authenticating user identities and target associations to`
			`map the authenticating user identity to the appropriate user identities for`
			`authorized access to other systems and resources. For example, you might typically`
			`create the following identifier associations between an EIM identifier and`
			`corresponding user identities for a user: <ul><li>A source association for the user's Kerberos principal, which is the identity`
			`with which the user logs into, and is authenticated to, the network.</li>`
			`<li>Target associations for each user identity in the various user registries`
			`that the user accesses, such as <span class="keyword">Windows<sup>®</sup> 2000</span> user`
			`profiles.</li>`
			`</ul>`
			`</div>`
			`<p>The following example illustrates how the identity mapping process`
			`works for identifier associations. The security administrator at Myco, Inc`
			`creates an EIM identifier (John Day) for an employee. This EIM identifier`
			`uniquely identifies John Day in the enterprise. The administrator then creates`
			`identifier associations between the John Day identifier and two user identities`
			`that he routinely uses in the enterprise. These associations define how the`
			`user identities are mapped. The administrator creates a source association`
			`for the Windows identity, which is a Kerberos principal,`
			`and a target association for an <span class="keyword">Windows 2000</span> user`
			`profile. These associations enable his Windows identity to be mapped to his <span class="keyword">Windows 2000</span> user profile.</p>`
			`<p>John Day`
			`uses the appropriate user name and password to log on to his <span class="keyword">Windows 2000</span> workstation`
			`each morning. Once logged on, he starts <span class="keyword">iSeries™ Access for Windows</span> to`
			`use <span class="keyword">Windows 2000</span> to access the <span class="keyword">Windows 2000</span> system. Because single signon`
			`is enabled, the identity mapping process uses his authenticated Windows identity`
			`to find the associated <span class="keyword">Windows 2000</span> user`
			`profile and transparently authenticates and authorizes him to<span class="keyword">Windows 2000</span>.</p>`
			`</div>`
			`<div class="section"><h4 class="sectiontitle">Policy associations</h4><p>Policy associations allow you`
			`to define a many-to-one relationship between a group of user identities in`
			`one or more user registries and a specific individual target user identity`
			`in another user registry. Typically, you use policy associations to map from`
			`a group of users who require the same level of authority for an application`
			`to a single user identity with the appropriate authority.</p>`
			`<p>The following`
			`example illustrates how identity mapping works when you define policy associations.`
			`A number of workers in the Order Receiving Department of Myco, Inc. all need`
			`the same type of authorization to access a Web-based application that runs`
			`on <span class="keyword">Windows 2000</span> on the server.`
			`These users currently have user identities for this purpose in a single user`
			`registry named Order_app. The administrator creates a default registry policy`
			`association to map all the users in the Order_app user registry to a single <span class="keyword">Windows 2000</span> user profile. This <span class="keyword">Windows 2000</span> user profile, SYSUSER, provides`
			`the minimum authority needed for this group of users. Performing this single`
			`configuration step allows the administrator to ensure that all users of the`
			`Web-based application have the access they need with the proper level of authorization`
			`that they need. However, the administrator also benefits because it eliminates`
			`the need to create and maintain individual <span class="keyword">Windows 2000</span> user`
			`profiles for each user.</p>`
			`</div>`
			`</div>`
			`<div>`
			`<div class="familylinks">`
			`<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamzconcepts.htm" title="Use this information to learn about the underlying concepts for single signon for a better understanding of how you can plan to use single signon in your enterprise.">Concepts</a></div>`
			`</div>`
			`<div class="relinfo"><strong>Related information</strong><br />`
			`<div><a href="../rzalv/rzalveservereimid.htm">EIM identifiers</a></div>`
			`<div><a href="../rzalv/rzalveserverregistry.htm">EIM registry definitions</a></div>`
			`<div><a href="../rzalv/rzalveserverassoc.htm">EIM associations</a></div>`
			`</div>`
			`</div>`
			`</body>`
			`</html>`