friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
6290434003
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzalv_5.4.0.1/rzalveservereimauths.htm

211 lines
13 KiB
HTML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="EIM access control" />
<meta name="abstract" content="This information explains how to allow a user access a LDAP user group to control a domain." />
<meta name="description" content="This information explains how to allow a user access a LDAP user group to control a domain." />
<meta name="DC.Relation" scheme="URI" content="rzalveservercncpts.htm" />
<meta name="DC.Relation" scheme="URI" content="rzalv_access_by_api.htm" />
<meta name="DC.Relation" scheme="URI" content="rzalv_access_by_task.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2002, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzalveservereimauths" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>EIM access control</title>
</head>
<body id="rzalveservereimauths"><a name="rzalveservereimauths"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">EIM access control</h1>
<div><p>This information explains how to allow a user access a LDAP user
group to control a domain.</p>
<p>An Enterprise Identity Mapping (EIM) user is a user who possesses EIM access
control based on their membership in a predefined Lightweight Directory Access
Protocol (LDAP) user group for a specific domain. Specifying EIM <em>access
control</em> for a user adds that user to a specific LDAP user group for a
particular domain. Each LDAP group has authority to perform specific EIM administrative
tasks for that domain. Which and what type of administrative tasks, including
lookup operations, an EIM user can perform is determined by the access control
group to which the EIM user belongs. </p>
<div class="note"><span class="notetitle">Note:</span> To configure EIM, you need to prove that you are trusted within the
context of the network, not by one specific system. Authorization to configure
EIM is not based on your i5/OS™ user profile authority, but rather on your EIM
access control authority. EIM is a network resource, not a resource for any
one particular system; consequently, EIM doesn't recognize i5/OS-specific
special authorities such as *ALLOBJ and *SECADM for configuration. Once EIM
is configured, however, authorization to perform tasks can be based on a number
of different user types, including i5/OS user profiles. For example, the IBM<sup>®</sup> Directory
Server for iSeries™ (LDAP)
treats i5/OS profiles
with *ALLOBJ and *IOSYSCFG special authority as directory administrators.</div>
<p>Only users with EIM administrator access control can add other users to
an EIM access control group or change other users access control settings.
Before a user can become a member of an EIM access control group, that user
must have an entry in the directory server that acts as the EIM domain controller.
Also, only specific types of users can be made a member of an EIM access
control group. The user identity can be in the form of a Kerberos principal,
an LDAP distinguished name, or an i5/OS user profile so long as the user
identity is defined to the directory server. </p>
<p><strong>Note:</strong> To have the Kerberos principal user type available in EIM,
network authentication service must be configured on the system. To have
the i5/OS user
profile type available in EIM, you must configure a system object suffix on
the directory server. This allows the directory server to reference i5/OS system
objects, such as i5/OS user
profiles.</p>
<p>The following are brief descriptions of the functions that each EIM authority
group can perform:</p>
<div class="section"><h4 class="sectiontitle">Lightweight Directory Access Protocol (LDAP) administrator</h4><p>The
LDAP administrator is a special distinguished name (DN) in the directory that
is an administrator for the entire directory. Thus, the LDAP administrator
has access to all EIM administrative functions, as well as access to the entire
directory. A user with this access control can perform the following functions: </p>
<ul><li>Create a domain.</li>
<li>Delete a domain.</li>
<li>Create and remove EIM identifiers.</li>
<li>Create and remove EIM registry definitions.</li>
<li>Create and remove source, target, and administrative associations.</li>
<li>Create and remove policy associations.</li>
<li>Create and remove certificate filters.</li>
<li>Enable and disable the use of policy associations for a domain.</li>
<li>Enable and disable mapping lookups for a registry.</li>
<li>Enable and disable the use of policy associations for a registry.</li>
<li>Perform EIM lookup operations.</li>
<li>Retrieve identifier associations, policy associations, certificate filters,
EIM identifiers, and EIM registry definitions.</li>
<li>Add, remove, and list EIM access control information.</li>
<li><img src="./delta.gif" alt="Start of change" />Change and remove credential information for a registry user. <img src="./deltaend.gif" alt="End of change" /></li>
</ul>
</div>
<div class="section"><h4 class="sectiontitle">EIM administrator</h4><p>Membership in this access control
group allows the user to manage all of the EIM data within this EIM domain.
A user with this access control can perform the following functions: </p>
<ul><li>Delete a domain.</li>
<li>Create and remove EIM identifiers.</li>
<li>Create and remove EIM registry definitions.</li>
<li>Create and remove source, target, and administrative associations.</li>
<li>Create and remove policy associations.</li>
<li>Create and remove certificate filters.</li>
<li>Enable and disable the use of policy associations for a domain.</li>
<li>Enable and disable mapping lookups for a registry.</li>
<li>Enable and disable the use of policy associations for a registry.</li>
<li>Perform EIM lookup operations.</li>
<li>Retrieve identifier associations, policy associations, certificate filters,
EIM identifiers, and EIM registry definitions.</li>
<li>Add, remove, and list EIM access control information.</li>
<li><img src="./delta.gif" alt="Start of change" />Change and remove credential information for a registry user. <img src="./deltaend.gif" alt="End of change" /></li>
</ul>
</div>
<div class="section"><h4 class="sectiontitle">Identifier administrator</h4><p>Membership in this access
control group allows the user to add and change EIM identifiers and manage
source and administrative associations. A user with this access control can
perform the following functions: </p>
<ul><li>Create EIM identifiers.</li>
<li>Add and remove source associations.</li>
<li>Add and remove administrative associations.</li>
<li>Perform EIM lookup operations. </li>
<li>Retrieve identifier associations, policy associations, certificate filters,
EIM identifiers, and EIM registry definitions.</li>
</ul>
</div>
<div class="section"><h4 class="sectiontitle">EIM mapping operations</h4><p>Membership in this access
control group allows the user to conduct EIM mapping lookup operations. A
user with this access control can perform the following functions: </p>
<ul><li>Perform EIM lookup operations.</li>
<li>Retrieve identifier associations, policy associations, certificate filters,
EIM identifiers, and EIM registry definitions.</li>
</ul>
</div>
<div class="section"><h4 class="sectiontitle">Registry administrator</h4><p>Membership in this access
control group allows the user to manage all EIM registry definitions. A user
with this access control can perform the following functions: </p>
<ul><li>Add and remove target associations.</li>
<li>Create and remove policy associations.</li>
<li>Create and remove certificate filters.</li>
<li>Enable and disable mapping lookups for a registry.</li>
<li>Enable and disable the use of policy associations for a registry.</li>
<li>Perform EIM lookup operations.</li>
<li>Retrieve identifier associations, policy associations, certificate filters,
EIM identifiers, and EIM registry definitions.</li>
</ul>
</div>
<div class="section"><h4 class="sectiontitle">Administrator for selected registries</h4><p>Membership
in this access control group allows the user to manage EIM information only
for a specified user registry definition (such as <samp class="codeph">Registry_X</samp>).
Membership in this access control group also allows the user to add and remove
target associations only for a specified user registry definition. To take
full advantage of mapping lookup operations and policy associations, a user
with this access control should also have <strong>EIM mapping operations</strong> access
control. This access control allows a user to perform the following functions
for specific authorized registry definitions:</p>
<ul><li>Create, remove, and list target associations for the specified EIM registry
definitions only.</li>
<li>Add and remove default domain policy associations.</li>
<li>Add and remove policy associations for the specified registry definitions
only.</li>
<li>Add certificate filters for the specified registry definitions only.</li>
<li>Enable and disable mapping lookups for the specified registry definitions
only.</li>
<li>Enable and disable the use of policy associations for the specified registry
definitions only.</li>
<li>Retrieve EIM identifiers.</li>
<li>Retrieve identifier associations and certificate filters for the specified
registry definitions only.</li>
<li>Retrieve EIM registry definition information for the specified registry
definitions only.</li>
</ul>
<div class="note"><span class="notetitle">Note:</span> <img src="./delta.gif" alt="Start of change" />If the specified registry definition is a group registry
definition, a user with Administrator for selected registries access control
has administrator access to the group only, not to the members of the group.<img src="./deltaend.gif" alt="End of change" /></div>
<p>A
user with both <strong>Administrator for selected registries</strong> access control
and <strong> EIM mapping lookup operations</strong> access control gains the ability
to perform the following functions: </p>
<ul><li>Add and remove policy associations only for the specified registries.</li>
<li>Perform EIM lookup operations.</li>
<li>Retrieve all identifier associations, policy associations, certificate
filters, EIM identifiers, and EIM registry definitions.</li>
</ul>
</div>
<div class="section"><img src="./delta.gif" alt="Start of change" /><h4 class="sectiontitle">Credential lookup</h4><p>This access control
group allows the user to retrieve credential information, such as passwords. </p>
<p>If
a user with this access control wants to perform an additional EIM operation,
the user needs to be a member of the access control group that provides authority
for the desired EIM operation. For example, if a user with this access control
wants to retrieve the target association from a source association, the user
needs to be a member of one of the following access control groups: </p>
<ul><li>EIM administrator </li>
<li>Identifier administrator </li>
<li>EIM mapping lookup operations </li>
<li>Registry administrator </li>
</ul>
<img src="./deltaend.gif" alt="End of change" /></div>
</div>
<div>
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="rzalv_access_by_api.htm">EIM access control group: API authority</a></strong><br />
This information displays tables that are organized by the Enterprise Identity Mapping (EIM) operation that the API performs.</li>
<li class="ulchildlink"><strong><a href="rzalv_access_by_task.htm">EIM access control group: EIM task authority</a></strong><br />
This information displays a table that explains the relationships between the different Enterprise Identity Mapping (EIM) access control groups and the EIM tasks that they can perform.</li>
</ul>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzalveservercncpts.htm" title="Use this information learn about important EIM concepts that you need to understand to implement EIM successfully.">Enterprise Identity Mapping concepts</a></div>
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink