Create a default domain policy association

To create a default domain policy association, you must be connected to the Enterprise Identity Mapping (EIM) domain in which you want to work and you must have EIM access control at one of these levels:

EIM administrator
Registry administrator

Note: A policy association describes a relationship between multiple user identities and a single user identity in a target user registry. You can use a policy association to describe a relationship between a source set of multiple user identities and a single target user identity in a specified target user registry. Policy associations use EIM mapping policy support to create many-to-one mappings between user identities without involving an EIM identifier.

Because you can use policy associations in a variety of overlapping ways, you need to have a thorough understanding of EIM mapping policy support before you create and use policy associations. Also, to prevent potential problems with associations and how they map identities, you need to develop an overall identity mapping plan for your enterprise before you begin defining associations.

In a default domain policy association, all users in the domain are the source of the policy association and are mapped to a single target registry and target user. You can define a default domain policy association for each registry in the domain. If two or more domain policy associations refer to the same target registry, you can define unique lookup information for each of these policy associations to ensure that mapping lookup operations can distinguish between them. Otherwise, mapping lookup operations may return multiple target user identities. As a result of these ambiguous results, applications that rely on EIM may not be able to determine the exact target identity to use.

To create a default domain policy association, complete these steps:

Expand Network > Enterprise Identity Mapping > Domain Management.
Right-click the EIM domain in which you want to work and select Mapping Policy...
- If the EIM domain you want to work with is not listed under Domain Management, see Add an EIM domain to the Domain Management folder.
- If you are not currently connected to the EIM domain in which you want to work, see Connect to the EIM domain controller.
Select Enable mapping lookups using policy associations for domain on the General page.
Select the Domain page and click Add....
In the Add Default Domain Policy Association dialog, specify the following required information:
- The registry definition name of the Target registry for the policy association.
- The user identity name of the Target user for the policy association.
Click Help, if necessary, for more details about how to complete this and subsequent dialogs.
Optional. Click Advanced... to display the Add Association - Advanced dialog. Specify Lookup information for the policy association and click OK to return to the Add Default Domain Policy Association dialog.
Note: If two or more default domain policy associations refer to the same target registry, you must define unique lookup information for each of the target user identities in these policy associations. By defining lookup information for each target user identity in this situation, you ensure that mapping lookup operations can distinguish between them. Otherwise, mapping lookup operations may return multiple target user identities. As a result of these ambiguous results, applications that rely on EIM may not be able to determine the exact target identity to use.
Click OK to create the new policy association and return to the Domain page. The new policy association now displays in the Default policy associations table.
Verify that the new policy association is enabled for the target registry.
Click OK to save your changes and exit the Mapping Policy dialog.

Note: Verify that mapping policy support and the use of policy associations for target user registry are properly enabled. If it is not enabled, the policy association can not take effect.