Start of change

Lookup operation examples: Example 5

Use this example to learn about lookup operations returning ambiguous results that involve group registry definitions.

In some cases a mapping lookup operation returns ambiguous results when more than one target user identity matches the specified lookup criteria. Because an ambiguous results situation could cause applications that use EIM to fail or give unexpected results, you must take action to prevent or resolve the situation.

In particular, be aware that lookup operations can return ambiguous results when you specify an individual user registry definition as a member of more than one group registry definition. If an individual user registry definition is a member of multiple group registry definitions and you create individual EIM identifier associations or policy associations that use a group registry definition as either the source registry or target registry, lookup operations might return ambiguous results. For example, you might use two different user identities for two different types of system tasks that you perform: you perform tasks as a security administrator that require a user identity with QSECOFR authority, and you perform typical user tasks that require a user identity with QUSER authority. If both of your user identities reside within the individual user registry that is a member of two different group registry definitions and you create target identifier associations to both of the target user identities, lookup operations finds both of the target user identities and consequently returns ambiguous results.

The following example describes how this problem can occur when you specify an individual user registry as a member of two group registry definitions and you specify one of the group registry definitions as the target registry in two individual EIM identifier associations.



Example:

John Day has the following user identities within a system registry definition called System B user registry:

System B user registry is a member of the following group registry definitions:

EIM identifier John Day has two target associations with the following specifications:

In this situation, the mapping lookup operation returns ambiguous results because more than one target user identity matches the specified lookup criteria; both user identities (JOHND and DAYOJO) match the specified lookup criteria.

Similarly, mapping lookup operations might return ambiguous results if you create two policy associations (rather than individual EIM identifier associations) that use group registry definitions as target registries.

To prevent lookup operations from returning ambiguous results that involve group registry definitions, consider the following guidelines:

You might define the following lookup information for each target user identity in the example about John Day:

However, base i5/OS™ applications such as iSeries™ Access for Windows® can not use lookup information to distinguish among multiple target user identities returned by a lookup operation. Consequently, you might consider redefining associations for the domain to ensure that a mapping lookup operation can return a single target user identity to ensure that base i5/OS applications can successfully perform lookup operations and map identities.

End of change