211 lines
13 KiB
HTML
211 lines
13 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="concept" />
|
|
<meta name="DC.Title" content="EIM access control" />
|
|
<meta name="abstract" content="This information explains how to allow a user access a LDAP user group to control a domain." />
|
|
<meta name="description" content="This information explains how to allow a user access a LDAP user group to control a domain." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzalveservercncpts.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzalv_access_by_api.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzalv_access_by_task.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2002, 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002, 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="rzalveservereimauths" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>EIM access control</title>
|
|
</head>
|
|
<body id="rzalveservereimauths"><a name="rzalveservereimauths"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">EIM access control</h1>
|
|
<div><p>This information explains how to allow a user access a LDAP user
|
|
group to control a domain.</p>
|
|
<p>An Enterprise Identity Mapping (EIM) user is a user who possesses EIM access
|
|
control based on their membership in a predefined Lightweight Directory Access
|
|
Protocol (LDAP) user group for a specific domain. Specifying EIM <em>access
|
|
control</em> for a user adds that user to a specific LDAP user group for a
|
|
particular domain. Each LDAP group has authority to perform specific EIM administrative
|
|
tasks for that domain. Which and what type of administrative tasks, including
|
|
lookup operations, an EIM user can perform is determined by the access control
|
|
group to which the EIM user belongs. </p>
|
|
<div class="note"><span class="notetitle">Note:</span> To configure EIM, you need to prove that you are trusted within the
|
|
context of the network, not by one specific system. Authorization to configure
|
|
EIM is not based on your i5/OS™ user profile authority, but rather on your EIM
|
|
access control authority. EIM is a network resource, not a resource for any
|
|
one particular system; consequently, EIM doesn't recognize i5/OS-specific
|
|
special authorities such as *ALLOBJ and *SECADM for configuration. Once EIM
|
|
is configured, however, authorization to perform tasks can be based on a number
|
|
of different user types, including i5/OS user profiles. For example, the IBM<sup>®</sup> Directory
|
|
Server for iSeries™ (LDAP)
|
|
treats i5/OS profiles
|
|
with *ALLOBJ and *IOSYSCFG special authority as directory administrators.</div>
|
|
<p>Only users with EIM administrator access control can add other users to
|
|
an EIM access control group or change other users access control settings.
|
|
Before a user can become a member of an EIM access control group, that user
|
|
must have an entry in the directory server that acts as the EIM domain controller.
|
|
Also, only specific types of users can be made a member of an EIM access
|
|
control group. The user identity can be in the form of a Kerberos principal,
|
|
an LDAP distinguished name, or an i5/OS user profile so long as the user
|
|
identity is defined to the directory server. </p>
|
|
<p><strong>Note:</strong> To have the Kerberos principal user type available in EIM,
|
|
network authentication service must be configured on the system. To have
|
|
the i5/OS user
|
|
profile type available in EIM, you must configure a system object suffix on
|
|
the directory server. This allows the directory server to reference i5/OS system
|
|
objects, such as i5/OS user
|
|
profiles.</p>
|
|
<p>The following are brief descriptions of the functions that each EIM authority
|
|
group can perform:</p>
|
|
<div class="section"><h4 class="sectiontitle">Lightweight Directory Access Protocol (LDAP) administrator</h4><p>The
|
|
LDAP administrator is a special distinguished name (DN) in the directory that
|
|
is an administrator for the entire directory. Thus, the LDAP administrator
|
|
has access to all EIM administrative functions, as well as access to the entire
|
|
directory. A user with this access control can perform the following functions: </p>
|
|
<ul><li>Create a domain.</li>
|
|
<li>Delete a domain.</li>
|
|
<li>Create and remove EIM identifiers.</li>
|
|
<li>Create and remove EIM registry definitions.</li>
|
|
<li>Create and remove source, target, and administrative associations.</li>
|
|
<li>Create and remove policy associations.</li>
|
|
<li>Create and remove certificate filters.</li>
|
|
<li>Enable and disable the use of policy associations for a domain.</li>
|
|
<li>Enable and disable mapping lookups for a registry.</li>
|
|
<li>Enable and disable the use of policy associations for a registry.</li>
|
|
<li>Perform EIM lookup operations.</li>
|
|
<li>Retrieve identifier associations, policy associations, certificate filters,
|
|
EIM identifiers, and EIM registry definitions.</li>
|
|
<li>Add, remove, and list EIM access control information.</li>
|
|
<li><img src="./delta.gif" alt="Start of change" />Change and remove credential information for a registry user. <img src="./deltaend.gif" alt="End of change" /></li>
|
|
</ul>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">EIM administrator</h4><p>Membership in this access control
|
|
group allows the user to manage all of the EIM data within this EIM domain.
|
|
A user with this access control can perform the following functions: </p>
|
|
<ul><li>Delete a domain.</li>
|
|
<li>Create and remove EIM identifiers.</li>
|
|
<li>Create and remove EIM registry definitions.</li>
|
|
<li>Create and remove source, target, and administrative associations.</li>
|
|
<li>Create and remove policy associations.</li>
|
|
<li>Create and remove certificate filters.</li>
|
|
<li>Enable and disable the use of policy associations for a domain.</li>
|
|
<li>Enable and disable mapping lookups for a registry.</li>
|
|
<li>Enable and disable the use of policy associations for a registry.</li>
|
|
<li>Perform EIM lookup operations.</li>
|
|
<li>Retrieve identifier associations, policy associations, certificate filters,
|
|
EIM identifiers, and EIM registry definitions.</li>
|
|
<li>Add, remove, and list EIM access control information.</li>
|
|
<li><img src="./delta.gif" alt="Start of change" />Change and remove credential information for a registry user. <img src="./deltaend.gif" alt="End of change" /></li>
|
|
</ul>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">Identifier administrator</h4><p>Membership in this access
|
|
control group allows the user to add and change EIM identifiers and manage
|
|
source and administrative associations. A user with this access control can
|
|
perform the following functions: </p>
|
|
<ul><li>Create EIM identifiers.</li>
|
|
<li>Add and remove source associations.</li>
|
|
<li>Add and remove administrative associations.</li>
|
|
<li>Perform EIM lookup operations. </li>
|
|
<li>Retrieve identifier associations, policy associations, certificate filters,
|
|
EIM identifiers, and EIM registry definitions.</li>
|
|
</ul>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">EIM mapping operations</h4><p>Membership in this access
|
|
control group allows the user to conduct EIM mapping lookup operations. A
|
|
user with this access control can perform the following functions: </p>
|
|
<ul><li>Perform EIM lookup operations.</li>
|
|
<li>Retrieve identifier associations, policy associations, certificate filters,
|
|
EIM identifiers, and EIM registry definitions.</li>
|
|
</ul>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">Registry administrator</h4><p>Membership in this access
|
|
control group allows the user to manage all EIM registry definitions. A user
|
|
with this access control can perform the following functions: </p>
|
|
<ul><li>Add and remove target associations.</li>
|
|
<li>Create and remove policy associations.</li>
|
|
<li>Create and remove certificate filters.</li>
|
|
<li>Enable and disable mapping lookups for a registry.</li>
|
|
<li>Enable and disable the use of policy associations for a registry.</li>
|
|
<li>Perform EIM lookup operations.</li>
|
|
<li>Retrieve identifier associations, policy associations, certificate filters,
|
|
EIM identifiers, and EIM registry definitions.</li>
|
|
</ul>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">Administrator for selected registries</h4><p>Membership
|
|
in this access control group allows the user to manage EIM information only
|
|
for a specified user registry definition (such as <samp class="codeph">Registry_X</samp>).
|
|
Membership in this access control group also allows the user to add and remove
|
|
target associations only for a specified user registry definition. To take
|
|
full advantage of mapping lookup operations and policy associations, a user
|
|
with this access control should also have <strong>EIM mapping operations</strong> access
|
|
control. This access control allows a user to perform the following functions
|
|
for specific authorized registry definitions:</p>
|
|
<ul><li>Create, remove, and list target associations for the specified EIM registry
|
|
definitions only.</li>
|
|
<li>Add and remove default domain policy associations.</li>
|
|
<li>Add and remove policy associations for the specified registry definitions
|
|
only.</li>
|
|
<li>Add certificate filters for the specified registry definitions only.</li>
|
|
<li>Enable and disable mapping lookups for the specified registry definitions
|
|
only.</li>
|
|
<li>Enable and disable the use of policy associations for the specified registry
|
|
definitions only.</li>
|
|
<li>Retrieve EIM identifiers.</li>
|
|
<li>Retrieve identifier associations and certificate filters for the specified
|
|
registry definitions only.</li>
|
|
<li>Retrieve EIM registry definition information for the specified registry
|
|
definitions only.</li>
|
|
</ul>
|
|
<div class="note"><span class="notetitle">Note:</span> <img src="./delta.gif" alt="Start of change" />If the specified registry definition is a group registry
|
|
definition, a user with Administrator for selected registries access control
|
|
has administrator access to the group only, not to the members of the group.<img src="./deltaend.gif" alt="End of change" /></div>
|
|
<p>A
|
|
user with both <strong>Administrator for selected registries</strong> access control
|
|
and <strong> EIM mapping lookup operations</strong> access control gains the ability
|
|
to perform the following functions: </p>
|
|
<ul><li>Add and remove policy associations only for the specified registries.</li>
|
|
<li>Perform EIM lookup operations.</li>
|
|
<li>Retrieve all identifier associations, policy associations, certificate
|
|
filters, EIM identifiers, and EIM registry definitions.</li>
|
|
</ul>
|
|
</div>
|
|
<div class="section"><img src="./delta.gif" alt="Start of change" /><h4 class="sectiontitle">Credential lookup</h4><p>This access control
|
|
group allows the user to retrieve credential information, such as passwords. </p>
|
|
<p>If
|
|
a user with this access control wants to perform an additional EIM operation,
|
|
the user needs to be a member of the access control group that provides authority
|
|
for the desired EIM operation. For example, if a user with this access control
|
|
wants to retrieve the target association from a source association, the user
|
|
needs to be a member of one of the following access control groups: </p>
|
|
<ul><li>EIM administrator </li>
|
|
<li>Identifier administrator </li>
|
|
<li>EIM mapping lookup operations </li>
|
|
<li>Registry administrator </li>
|
|
</ul>
|
|
<img src="./deltaend.gif" alt="End of change" /></div>
|
|
</div>
|
|
<div>
|
|
<ul class="ullinks">
|
|
<li class="ulchildlink"><strong><a href="rzalv_access_by_api.htm">EIM access control group: API authority</a></strong><br />
|
|
This information displays tables that are organized by the Enterprise Identity Mapping (EIM) operation that the API performs.</li>
|
|
<li class="ulchildlink"><strong><a href="rzalv_access_by_task.htm">EIM access control group: EIM task authority</a></strong><br />
|
|
This information displays a table that explains the relationships between the different Enterprise Identity Mapping (EIM) access control groups and the EIM tasks that they can perform.</li>
|
|
</ul>
|
|
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzalveservercncpts.htm" title="Use this information learn about important EIM concepts that you need to understand to implement EIM successfully.">Enterprise Identity Mapping concepts</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |