ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzalv_5.4.0.1/rzalv_user_profiles.htm

119 lines
7.1 KiB
HTML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="i5/OS user profile considerations for EIM" />
<meta name="DC.Relation" scheme="URI" content="rzalv_iseries_eim_concepts.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2002, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzalv_user_profiles" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>i5/OS user
profile considerations for EIM</title>
</head>
<body id="rzalv_user_profiles"><a name="rzalv_user_profiles"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">i5/OS user
profile considerations for EIM</h1>
<div><p>Being able to perform tasks in Enterprise Identity Mapping (EIM) is not
based on your i5/OS™ user
profile authority, but rather on your <a href="rzalveservereimauths.htm#rzalveservereimauths">EIM access control</a> authority.
However, there are some additional tasks that need to be performed to set
up i5/OS to
use EIM. These additional tasks require you to have an i5/OS user profile
with the appropriate special authorities.</p>
<div class="p">To set up i5/OS to
use EIM using iSeries™ Navigator,
your user profile must have the following special authorities: <ul><li>Security administrator (*SECADM).</li>
<li>All object (*ALLOBJ). </li>
<li>System configuration (*IOSYSCFG). </li>
</ul>
</div>
<div class="section"><h4 class="sectiontitle">i5/OS user
profile command enhancement for EIM identifiers</h4><p>Once you configure
EIM for your system, you can take advantage of a new parameter for both the <a href="../cl/crtusrprf.htm">Create user profile</a> (CRTUSRPRF)
command and the Change user profile (CHGUSRPRF) command, called EIMASSOC.
You can use this parameter to define EIM identifier associations for the specified
user profile profile for the local registry. </p>
<div class="p">When you use this parameter,
you can specify the following information: <ul><li>EIM identifier name, which can be a new name or an existing identifier
name.</li>
<li>An action option for the association, which can be to add (*ADD), to replace
(*REPLACE), or to remove (*REMOVE), the association that you specify.<div class="note"><span class="notetitle">Note:</span> Use
the *ADD to set up new associations. Use the *REPLACE option, for example,
if you previously defined associations to the wrong identifier. The *REPLACE
option removes any existing associations of the specified type for the local
registry to any other identifiers, and then adds the one that is specified
for the parameter. Use the *REMOVE option to remove any specified associations
from the specified identifier.</div>
</li>
<li>The type of identifier association, which can be target, source, both
a target and a source, or an administrative association.</li>
<li>Whether to create the specified EIM identifier if it does not already
exist.</li>
</ul>
</div>
<p>You typically create a target association for an i5/OS profile,
especially in a single signon environment. After you use the command to create
the needed target association for the user profile (and the EIM identifier,
if necessary), you may need to create a corresponding source association.
You can use iSeries Navigator
to create a source association for a another user identity, such as the Kerberos
principal with which the user signs on to the network.</p>
<p>When you configured
EIM for the system, you specified a user identity and password for the system
to use when performing EIM operations on behalf of the operating system. This
user identity must have EIM <a href="rzalveservereimauths.htm#rzalveservereimauths">access
control </a> authority sufficient for creating identifiers and adding associations. </p>
</div>
<div class="section"><h4 class="sectiontitle">i5/OS user
profile passwords and EIM </h4><p>As an administrator, your primary goal
for configuring EIM as part of a single signon environment is to reduce the
amount of user password management that you must perform for the typical end
users in your enterprise. By using the identity mapping that EIM provides
in combination with Kerberos authentication, you know that your users will
have to perform fewer logons and remember and manage fewer passwords. You
benefit because you have fewer calls to manage problems for the mapped user
identities, such as calls to reset these passwords when users forget them.
However, your security policy password rules are still in effect and you must
still manage these user profiles for users whenever the password expires.</p>
<p>To
further benefit from your single signon environment, you may want to consider
changing the password setting for those user profiles that are the target
of identity mappings. As the target of an identity mapping, the user no longer
needs to provide the password for the user profile when the user accesses
an iSeries system
or <a href="rzalv_os400_apps.htm#rzalv_os400_apps">EIM-enabled i5/OS resource</a>.
For typical users, you can change the password setting to *NONE so that no
password can be used with the user profile. The owner of the user profile
no longer needs a password because of identity mapping and single signon.
By setting the password to *NONE, you benefit further because you and your
users no longer have to manage password expiration; additionally, no one can
use the profile to directly signon to an iSeries or access EIM-enabled i5/OS resources.
However, you may prefer that administrators continue to have a password value
for their user profiles in case they ever need to signon directly to an iSeries system.
For example, if your EIM domain controller is down and identity mapping can
not occur, an administrator may need to be able to signon directly to an iSeries system
until the problem with the domain controller is resolved.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzalv_iseries_eim_concepts.htm" title="This information lists all the applications for Enterprise Identity Mapping (EIM).">iSeries concepts for Enterprise Identity Mapping</a></div>
</div>
</div>
</body>
</html>