Create default registry policy associations

You want to have all your Microsoft® Active Directory users on the Windows® 2000 server map to the user profile, SYSUSERA, on iSeries™ A and to the user profile, SYSUSERB, on iSeries B.

Fortunately, you can use policy associations to create mappings directly between a group of users and a single target user identity. In this case, you can create a default registry policy association the maps all the user identities (for which no identifier associations exist) in the MYCO.COM Kerberos registry to a single i5/OS™ user profile on iSeriesA.

You need two policy associations to accomplish this goal. Each policy association uses the MYCO.COM user registry definition as the source of the association. However, each policy association maps user identities in this registry to different target user identities, depending on which iSeries system the Kerberos user accesses:
  • One policy association maps the Kerberos principals in the MYCO.COM user registry to a target user of SYSUSERA in the target registry of ISERIESA.MYCO.COM.
  • The other policy association maps the Kerberos principals in the MYCO.COM user registry to a target user of SYSUSERB in the target registry of ISERIESB.MYCO.COM.

Use the information from your planning works sheets to create two default registry policy associations.

Note: Before you can use policy associations, however, you must first ensure that you enable the domain to use policy associations for mapping lookup operations. You can do this as part of the process for creating your policy associations, as follows:
  1. In iSeries Navigator, expand iSeries A > Network > Enterprise Identity Mapping > Domain Management.
  2. Right-click MyCoEimDomain, and select Mapping policy....
  3. On the General page, select the Enable mapping lookups using policy associations for domain MyCoEimDomain.

Follow these steps to create the default registry policy association for the users to map to the SYSUSERA user profile on iSeries A:

  1. On the Registry page, click Add.
  2. In the Add Default Registry Policy Association dialog, specify or Browse... to select the following information, and click OK:
    • Source registry: MYCO.COM
    • Target registry: ISERIESA.MYCO.COM
    • Target user: SYSUSERA
  3. Click OK to close the Mapping Policy dialog.

    Follow these steps to create the default registry policy association for the users to map to the SYSUSERB user profile on iSeries B:

  4. On the Registry page, click Add.
  5. In the Add Default Registry Policy Association dialog, specify or Browse... to select the following information, and click OK:
    • Source registry: MYCO.COM
    • Target registry: ISERIESB.MYCO.COM
    • Target user: SYSUSERB
  6. Click OK to close the Mapping Policy dialog.

Now that you have created the default registry policy associations, you can enable the registries to participate in lookup operations and to use the policy associations.

Parent topic: Scenario: Enable single signon for i5/OS
Previous topic: Create identifier associations for Sharon Jones
Next topic: Enable registries to participate in lookup operations and to use policy associations