119 lines
7.1 KiB
HTML
119 lines
7.1 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="concept" />
|
|
<meta name="DC.Title" content="i5/OS user profile considerations for EIM" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzalv_iseries_eim_concepts.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2002, 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002, 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="rzalv_user_profiles" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>i5/OS user
|
|
profile considerations for EIM</title>
|
|
</head>
|
|
<body id="rzalv_user_profiles"><a name="rzalv_user_profiles"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">i5/OS user
|
|
profile considerations for EIM</h1>
|
|
<div><p>Being able to perform tasks in Enterprise Identity Mapping (EIM) is not
|
|
based on your i5/OS™ user
|
|
profile authority, but rather on your <a href="rzalveservereimauths.htm#rzalveservereimauths">EIM access control</a> authority.
|
|
However, there are some additional tasks that need to be performed to set
|
|
up i5/OS to
|
|
use EIM. These additional tasks require you to have an i5/OS user profile
|
|
with the appropriate special authorities.</p>
|
|
<div class="p">To set up i5/OS to
|
|
use EIM using iSeries™ Navigator,
|
|
your user profile must have the following special authorities: <ul><li>Security administrator (*SECADM).</li>
|
|
<li>All object (*ALLOBJ). </li>
|
|
<li>System configuration (*IOSYSCFG). </li>
|
|
</ul>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">i5/OS user
|
|
profile command enhancement for EIM identifiers</h4><p>Once you configure
|
|
EIM for your system, you can take advantage of a new parameter for both the <a href="../cl/crtusrprf.htm">Create user profile</a> (CRTUSRPRF)
|
|
command and the Change user profile (CHGUSRPRF) command, called EIMASSOC.
|
|
You can use this parameter to define EIM identifier associations for the specified
|
|
user profile profile for the local registry. </p>
|
|
<div class="p">When you use this parameter,
|
|
you can specify the following information: <ul><li>EIM identifier name, which can be a new name or an existing identifier
|
|
name.</li>
|
|
<li>An action option for the association, which can be to add (*ADD), to replace
|
|
(*REPLACE), or to remove (*REMOVE), the association that you specify.<div class="note"><span class="notetitle">Note:</span> Use
|
|
the *ADD to set up new associations. Use the *REPLACE option, for example,
|
|
if you previously defined associations to the wrong identifier. The *REPLACE
|
|
option removes any existing associations of the specified type for the local
|
|
registry to any other identifiers, and then adds the one that is specified
|
|
for the parameter. Use the *REMOVE option to remove any specified associations
|
|
from the specified identifier.</div>
|
|
</li>
|
|
<li>The type of identifier association, which can be target, source, both
|
|
a target and a source, or an administrative association.</li>
|
|
<li>Whether to create the specified EIM identifier if it does not already
|
|
exist.</li>
|
|
</ul>
|
|
</div>
|
|
<p>You typically create a target association for an i5/OS profile,
|
|
especially in a single signon environment. After you use the command to create
|
|
the needed target association for the user profile (and the EIM identifier,
|
|
if necessary), you may need to create a corresponding source association.
|
|
You can use iSeries Navigator
|
|
to create a source association for a another user identity, such as the Kerberos
|
|
principal with which the user signs on to the network.</p>
|
|
<p>When you configured
|
|
EIM for the system, you specified a user identity and password for the system
|
|
to use when performing EIM operations on behalf of the operating system. This
|
|
user identity must have EIM <a href="rzalveservereimauths.htm#rzalveservereimauths">access
|
|
control </a> authority sufficient for creating identifiers and adding associations. </p>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">i5/OS user
|
|
profile passwords and EIM </h4><p>As an administrator, your primary goal
|
|
for configuring EIM as part of a single signon environment is to reduce the
|
|
amount of user password management that you must perform for the typical end
|
|
users in your enterprise. By using the identity mapping that EIM provides
|
|
in combination with Kerberos authentication, you know that your users will
|
|
have to perform fewer logons and remember and manage fewer passwords. You
|
|
benefit because you have fewer calls to manage problems for the mapped user
|
|
identities, such as calls to reset these passwords when users forget them.
|
|
However, your security policy password rules are still in effect and you must
|
|
still manage these user profiles for users whenever the password expires.</p>
|
|
<p>To
|
|
further benefit from your single signon environment, you may want to consider
|
|
changing the password setting for those user profiles that are the target
|
|
of identity mappings. As the target of an identity mapping, the user no longer
|
|
needs to provide the password for the user profile when the user accesses
|
|
an iSeries system
|
|
or <a href="rzalv_os400_apps.htm#rzalv_os400_apps">EIM-enabled i5/OS resource</a>.
|
|
For typical users, you can change the password setting to *NONE so that no
|
|
password can be used with the user profile. The owner of the user profile
|
|
no longer needs a password because of identity mapping and single signon.
|
|
By setting the password to *NONE, you benefit further because you and your
|
|
users no longer have to manage password expiration; additionally, no one can
|
|
use the profile to directly signon to an iSeries or access EIM-enabled i5/OS resources.
|
|
However, you may prefer that administrators continue to have a password value
|
|
for their user profiles in case they ever need to signon directly to an iSeries system.
|
|
For example, if your EIM domain controller is down and identity mapping can
|
|
not occur, an administrator may need to be able to signon directly to an iSeries system
|
|
until the problem with the domain controller is resolved.</p>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzalv_iseries_eim_concepts.htm" title="This information lists all the applications for Enterprise Identity Mapping (EIM).">iSeries concepts for Enterprise Identity Mapping</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |