ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzalv_5.4.0.1/rzalv_plan_assocs.htm

239 lines
14 KiB
HTML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Plan Enterprise Identity Mapping associations" />
<meta name="DC.Relation" scheme="URI" content="rzalv_id_map_plan.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2002, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzalv_plan_assocs" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Plan Enterprise Identity Mapping associations</title>
</head>
<body id="rzalv_plan_assocs"><a name="rzalv_plan_assocs"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Plan Enterprise Identity Mapping associations</h1>
<div><p><a href="rzalveserverassoc.htm#rzalveserverassoc">Associations</a> are
entries that you create in an Enterprise Identity Mapping (EIM) domain to
define a relationship between user identities in different user registries.
You can create one of two types of associations in EIM: identifier associations
to define one-to-one mappings and policy associations to define many-to-one
mappings. You can use policy associations instead of, or in conjunction with,
identifier associations. </p>
<p>The specific types of <a href="rzalveserverassoc.htm#rzalveserverassoc">associations</a> that you choose to create depends on how
a user uses a particular user identity, as well as your overall <a href="rzalv_id_map_plan.htm#id_map_plan">identity mapping plan</a>. </p>
<p>You can create any of the following types of identifier associations: </p>
<ul><li><strong>Target associations</strong><p>You define target associations for users
that normally only access this system as a server from some other client system.
This type of association is used when an application performs mapping lookup
operations. </p>
</li>
<li><strong>Source associations</strong><p>You define source associations when the user
identity is the first one that a user provides to sign on to the system or
network. This type of association is used when an application performs mapping
lookup operations. </p>
</li>
<li><strong>Administrative associations</strong><p>You define administrative associations
when you want to be able to track the fact that the user identity belongs
to a specific user, but do not want the user identity to be available to mapping
lookup operations. You can use this type of association to track all the user
identities that a person uses in the enterprise. </p>
</li>
</ul>
<p>A <strong>policy association</strong> always defines a target association.</p>
<p>It is possible for a single registry definition to have more than one type
of association depending on how the user registry that it refers to is used.
Although there are no limits to the numbers of, or the combinations of, associations
that you can define, keep the number to a minimum to simplify the administration
of your EIM domain. </p>
<p>Typically, an application will provide guidance on which registry definitions
it expects for source and target registries, but not the association types.
Each end user of the application needs to be mapped to the application by
at least one association. This association can be a one-to-one mapping between
their unique EIM identifier and a user identity in the required target registry
or a many-to-one mapping between a source registry of which the user identity
is a member and the required target registry. Which type of association you
use depends on your identity mapping requirements and the criteria the application
provides.</p>
<p>Previously as part of the planning process, you completed two planning
work sheets for the user identities in your organization with information
about the EIM identifiers and EIM registry definitions that you need. Now
you need to bring this information together by specifying the types of associations
you want to use to map the users identities in your enterprise. You need to
determine whether to define a policy association for a particular application
and its registry of users, or to define specific identifier associations (source,
target, or administrative) for each user identity in the system or application
registry. You can do this by recording information about the required association
types in both the registry definition planning work sheet and in the corresponding
rows of each associations work sheet. </p>
<p>To complete your identity mapping plan, you can use the following example
work sheets as a guide to help you record the association information that
you need to describe a complete picture of how you plan to implement identity
mapping.</p>
<div class="p">
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 1. Example EIM registry definition
information planning work sheet</caption><thead align="left"><tr><th align="left" valign="top" width="20%" id="d0e66">Registry definition name</th>
<th valign="top" width="20%" id="d0e68">User registry type</th>
<th valign="top" width="20%" id="d0e70">Registry definition alias</th>
<th valign="top" width="20%" id="d0e72">Registry description</th>
<th valign="top" width="20%" id="d0e74">Association types</th>
</tr>
</thead>
<tbody><tr><td valign="top" width="20%" headers="d0e66 ">System_C</td>
<td valign="top" width="20%" headers="d0e68 ">i5/OS™ system user registry</td>
<td valign="top" width="20%" headers="d0e70 ">See application documentation</td>
<td valign="top" width="20%" headers="d0e72 ">Main system user registry for i5/OS on System C</td>
<td valign="top" width="20%" headers="d0e74 ">Target</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e66 ">System_A_WAS</td>
<td valign="top" width="20%" headers="d0e68 ">WebSphere<sup>®</sup> LTPA</td>
<td valign="top" width="20%" headers="d0e70 ">app_23_alias_source</td>
<td valign="top" width="20%" headers="d0e72 ">WebSphere LTPA user registry on System A</td>
<td valign="top" width="20%" headers="d0e74 ">Primarily source</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e66 ">System_B</td>
<td valign="top" width="20%" headers="d0e68 ">Linux<sup>®</sup></td>
<td valign="top" width="20%" headers="d0e70 ">See application documentation</td>
<td valign="top" width="20%" headers="d0e72 ">Linux user registry on System B</td>
<td valign="top" width="20%" headers="d0e74 ">Source and target</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e66 ">System_A</td>
<td valign="top" width="20%" headers="d0e68 ">i5/OS system user registry</td>
<td valign="top" width="20%" headers="d0e70 ">app_23_alias_target app_xx_alias_target</td>
<td valign="top" width="20%" headers="d0e72 ">Main system user registry for i5/OS on System A</td>
<td valign="top" width="20%" headers="d0e74 ">Target</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e66 ">System_D</td>
<td valign="top" width="20%" headers="d0e68 ">Kerberos user registry</td>
<td valign="top" width="20%" headers="d0e70 ">app_xx_alias_source</td>
<td valign="top" width="20%" headers="d0e72 ">legal.mydomain.com Kerberos realm</td>
<td valign="top" width="20%" headers="d0e74 ">Source</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e66 ">System_4</td>
<td valign="top" width="20%" headers="d0e68 ">Windows<sup>®</sup> 2000 user registry</td>
<td valign="top" width="20%" headers="d0e70 ">See application documentation</td>
<td valign="top" width="20%" headers="d0e72 ">Human resources application user registry on System 4</td>
<td valign="top" width="20%" headers="d0e74 ">Administrative</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e66 ">order.mydomain.com</td>
<td valign="top" width="20%" headers="d0e68 ">Windows 2000 user registry </td>
<td valign="top" width="20%" headers="d0e70 ">&nbsp;</td>
<td valign="top" width="20%" headers="d0e72 ">Main logon registry for order department employees</td>
<td valign="top" width="20%" headers="d0e74 ">Default registry policy (source registry)</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e66 ">System_A_order_app </td>
<td valign="top" width="20%" headers="d0e68 ">Order department application</td>
<td valign="top" width="20%" headers="d0e70 ">&nbsp;</td>
<td valign="top" width="20%" headers="d0e72 ">Application specific registry for order updates</td>
<td valign="top" width="20%" headers="d0e74 ">Default registry policy (target registry)</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e66 ">System_C_order_app </td>
<td valign="top" width="20%" headers="d0e68 ">Order department application</td>
<td valign="top" width="20%" headers="d0e70 ">&nbsp;</td>
<td valign="top" width="20%" headers="d0e72 ">Application specific registry for order updates</td>
<td valign="top" width="20%" headers="d0e74 ">Default registry policy (target registry)</td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="p">
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 2. Example EIM identifier planning
work sheet</caption><thead align="left"><tr><th align="left" valign="top" width="33.33333333333333%" id="d0e205">Unique identifier name</th>
<th valign="top" width="33.33333333333333%" id="d0e207">Identifier or user identity description </th>
<th valign="top" width="33.33333333333333%" id="d0e209">Identifier alias</th>
</tr>
</thead>
<tbody><tr><td valign="top" width="33.33333333333333%" headers="d0e205 ">John S Day</td>
<td valign="top" width="33.33333333333333%" headers="d0e207 ">Human resources manager</td>
<td valign="top" width="33.33333333333333%" headers="d0e209 ">app_23_admin</td>
</tr>
<tr><td valign="top" width="33.33333333333333%" headers="d0e205 ">John J Day</td>
<td valign="top" width="33.33333333333333%" headers="d0e207 ">Legal Department</td>
<td valign="top" width="33.33333333333333%" headers="d0e209 ">app_xx_admin</td>
</tr>
<tr><td valign="top" width="33.33333333333333%" headers="d0e205 ">Sharon A. Jones</td>
<td valign="top" width="33.33333333333333%" headers="d0e207 ">Order Department Administrator</td>
<td valign="top" width="33.33333333333333%" headers="d0e209 ">&nbsp;</td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="p">
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 3. Example identifier association
planning work sheet</caption><thead align="left"><tr><th colspan="3" valign="top" id="d0e243">Identifier unique name: _____John
S Day______</th>
</tr>
<tr><th align="left" valign="top" width="33.22147651006711%" id="d0e246">User registry</th>
<th valign="top" width="34.22818791946309%" id="d0e248">User identity</th>
<th valign="top" width="32.5503355704698%" id="d0e250">Association types</th>
</tr>
</thead>
<tbody><tr><td valign="top" width="33.22147651006711%" headers="d0e243 d0e246 ">System A WAS on System A</td>
<td valign="top" width="34.22818791946309%" headers="d0e243 d0e248 ">johnday</td>
<td valign="top" width="32.5503355704698%" headers="d0e243 d0e250 ">Source</td>
</tr>
<tr><td valign="top" width="33.22147651006711%" headers="d0e243 d0e246 ">Linux on System B</td>
<td valign="top" width="34.22818791946309%" headers="d0e243 d0e248 ">jsd1</td>
<td valign="top" width="32.5503355704698%" headers="d0e243 d0e250 ">Source and target</td>
</tr>
<tr><td valign="top" width="33.22147651006711%" headers="d0e243 d0e246 ">i5/OS on System C</td>
<td valign="top" width="34.22818791946309%" headers="d0e243 d0e248 ">JOHND</td>
<td valign="top" width="32.5503355704698%" headers="d0e243 d0e250 ">Target</td>
</tr>
<tr><td valign="top" width="33.22147651006711%" headers="d0e243 d0e246 ">Registry 4 on Windows 2000 human resources system</td>
<td valign="top" width="34.22818791946309%" headers="d0e243 d0e248 ">JDAY</td>
<td valign="top" width="32.5503355704698%" headers="d0e243 d0e250 ">Administrative</td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="p">
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><caption>Table 4. Example planning work sheet for policy associations</caption><thead align="left"><tr><th valign="top" width="20%" id="d0e300">Policy association type</th>
<th valign="top" width="20%" id="d0e302">Source user registry</th>
<th valign="top" width="20%" id="d0e304">Target user registry</th>
<th valign="top" width="20%" id="d0e306">User identity</th>
<th valign="top" width="20%" id="d0e308">Description</th>
</tr>
</thead>
<tbody><tr><td valign="top" width="20%" headers="d0e300 ">Default registry</td>
<td valign="top" width="20%" headers="d0e302 ">order.mydomain.com</td>
<td valign="top" width="20%" headers="d0e304 ">System_A_order_app </td>
<td valign="top" width="20%" headers="d0e306 ">SYSUSERA</td>
<td valign="top" width="20%" headers="d0e308 ">Maps authenticated Windows order department user to appropriate
application user identity</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e300 ">Default registry</td>
<td valign="top" width="20%" headers="d0e302 ">order.mydomain.com</td>
<td valign="top" width="20%" headers="d0e304 ">System_C_order_app</td>
<td valign="top" width="20%" headers="d0e306 ">SYSUSERB</td>
<td valign="top" width="20%" headers="d0e308 ">Maps authenticated Windows order department user to appropriate
application user identity</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzalv_id_map_plan.htm">Develop an identity mapping plan</a></div>
</div>
</div>
</body>
</html>