Being able to perform tasks in Enterprise Identity Mapping (EIM) is not based on your i5/OS™ user profile authority, but rather on your EIM access control authority. However, there are some additional tasks that need to be performed to set up i5/OS to use EIM. These additional tasks require you to have an i5/OS user profile with the appropriate special authorities.
Once you configure EIM for your system, you can take advantage of a new parameter for both the Create user profile (CRTUSRPRF) command and the Change user profile (CHGUSRPRF) command, called EIMASSOC. You can use this parameter to define EIM identifier associations for the specified user profile profile for the local registry.
You typically create a target association for an i5/OS profile, especially in a single signon environment. After you use the command to create the needed target association for the user profile (and the EIM identifier, if necessary), you may need to create a corresponding source association. You can use iSeries Navigator to create a source association for a another user identity, such as the Kerberos principal with which the user signs on to the network.
When you configured EIM for the system, you specified a user identity and password for the system to use when performing EIM operations on behalf of the operating system. This user identity must have EIM access control authority sufficient for creating identifiers and adding associations.
As an administrator, your primary goal for configuring EIM as part of a single signon environment is to reduce the amount of user password management that you must perform for the typical end users in your enterprise. By using the identity mapping that EIM provides in combination with Kerberos authentication, you know that your users will have to perform fewer logons and remember and manage fewer passwords. You benefit because you have fewer calls to manage problems for the mapped user identities, such as calls to reset these passwords when users forget them. However, your security policy password rules are still in effect and you must still manage these user profiles for users whenever the password expires.
To further benefit from your single signon environment, you may want to consider changing the password setting for those user profiles that are the target of identity mappings. As the target of an identity mapping, the user no longer needs to provide the password for the user profile when the user accesses an iSeries system or EIM-enabled i5/OS resource. For typical users, you can change the password setting to *NONE so that no password can be used with the user profile. The owner of the user profile no longer needs a password because of identity mapping and single signon. By setting the password to *NONE, you benefit further because you and your users no longer have to manage password expiration; additionally, no one can use the profile to directly signon to an iSeries or access EIM-enabled i5/OS resources. However, you may prefer that administrators continue to have a password value for their user profiles in case they ever need to signon directly to an iSeries system. For example, if your EIM domain controller is down and identity mapping can not occur, an administrator may need to be able to signon directly to an iSeries system until the problem with the domain controller is resolved.