friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
6290434003
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzalv_5.4.0.1/rzalveservereimmaplookup.htm

164 lines
12 KiB
HTML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="EIM lookup operations" />
<meta name="abstract" content="This information explains the process for Enterprise Identity Mapping (EIM) mapping and view examples." />
<meta name="description" content="This information explains the process for Enterprise Identity Mapping (EIM) mapping and view examples." />
<meta name="DC.Relation" scheme="URI" content="rzalveserverdomain.htm" />
<meta name="DC.Relation" scheme="URI" content="rzalveservercncpts.htm" />
<meta name="DC.Relation" scheme="URI" content="rzalvlookupoperationexamplesexample1.htm" />
<meta name="DC.Relation" scheme="URI" content="rzalvlookupoperationexamplesexample2.htm" />
<meta name="DC.Relation" scheme="URI" content="rzalvlookupoperationexamplesexample3.htm" />
<meta name="DC.Relation" scheme="URI" content="rzalvlookupoperationexamplesexample4.htm" />
<meta name="DC.Relation" scheme="URI" content="rzalvambiguousgroupregistry.htm" />
<meta name="DC.Relation" scheme="URI" content="rzalv_policy_associations.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2002, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzalveservereimmaplookup" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>EIM lookup operations</title>
</head>
<body id="rzalveservereimmaplookup"><a name="rzalveservereimmaplookup"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">EIM lookup operations</h1>
<div><p>This information explains the process for Enterprise Identity Mapping
(EIM) mapping and view examples.</p>
<p>An application or an operating system uses an EIM API to perform a <em>lookup
operation</em> so that the application or operating system can map from one
user identity in one registry to another user identity in another registry.
An EIM lookup operation is a process through which an application or operating
system finds an unknown associated user identity in a specific target registry
by supplying some known and trusted information. Applications that use EIM
APIs can perform these EIM lookup operations on information only if that information
is stored in the EIM domain. An application can perform one of two types of
EIM lookup operations based on the type of information the application supplies
as the source of the EIM lookup operation: a user identity or an EIM identifier.</p>
<div class="p">When applications or operating systems use the <samp class="codeph">eimGetTargetFromSource()</samp> API
to obtain a target user identity for a given target registry, they must supply
a <em>user identity as the source</em> of the lookup operation. To be used as
the source in a EIM lookup operation, a user identity must have either an
identifier source association defined for it or be covered by a policy association.
When an application or operating system uses this API, the application or
operating system must supply three pieces of information:<ul><li>A user identity as the source, or starting point of the operation. </li>
<li>The EIM registry definition name for the source user identity. </li>
<li>The EIM registry definition name that is the target of the EIM lookup
operation. This registry definition describes the user registry that contains
the user identity that the application is seeking.</li>
</ul>
</div>
<div class="p">When applications or operating systems use the <samp class="codeph">eimGetTargetFromIdentifier()</samp> API
to obtain a user identity for a given target registry, they must supply an <em>EIM
identifier as the source</em> of the EIM lookup operation. When an application
uses this API, the application must supply two pieces of information:<ul><li>An EIM identifier as the source, or starting point of the operation. </li>
<li>The EIM registry definition name that is the target of the EIM lookup
operation. This registry definition describes the user registry that contains
the user identity that the application is seeking.</li>
</ul>
</div>
<p>For a user identity to be returned as the target of either type of EIM
lookup operation, the user identity must have a target association defined
for it. This target association can be in the form of an identifier association
or a policy association.</p>
<div class="p">The supplied information is passed to EIM and the EIM lookup operation
searches for and returns any target user identities, by searching EIM data
in the following order, as Figure 10 illustrates:<ol><li>Identifier target association for an EIM identifier. <span class="br">The
EIM identifier is identified in one of two ways: It is supplied by the <samp class="codeph">eimGetTargetFromIdentifier()</samp> API.
Or, the EIM identifier is determined from information supplied by the <samp class="codeph">eimGetTargetFromSource()</samp> API. </span></li>
<li>Certificate filter policy association. </li>
<li>Default registry policy association. </li>
<li>Default domain policy association.</li>
</ol>
</div>
<p><strong>Figure 10:</strong> EIM lookup operation general processing flow chart</p>
<p><br /><img src="rzalv515.gif" alt="Process flow chart for a mapping lookup operation " /><br /></p>
<div class="note"><span class="notetitle">Note:</span> <img src="./delta.gif" alt="Start of change" />In the following flow, lookup operations first checks the
individual registry definition, such as the specified source registry or target
registry. If lookup operations fail to find a mapping using the individual
registry definition, it determines whether the individual registry definition
is a member of a group registry definition. If it is a member of a group registry
definition, the lookup operation checks the group registry definition to satisfy
the mapping lookup request.<img src="./deltaend.gif" alt="End of change" /></div>
<div class="p">The lookup operation search flows in this manner:<ol><li>The lookup operation checks whether mapping lookups are enabled. <span class="br">The
lookup operation determines whether mapping lookups are enabled for the specified
source registry, the specified target registry, or both specified registries.
If mapping lookups are not enabled for one or both of the registries, then
the lookup operation ends without returning a target user identity.</span></li>
<li>The lookup operation checks whether there are identifier associations
that match the lookup criteria.<span class="br">If an EIM identifier was
provided, the lookup operation uses the specified EIM identifier name. Otherwise,
the lookup operation checks whether there is a specific identifier source
association that matches the supplied source user identity and source registry.
If there is one, the lookup operation uses it to determine the appropriate
EIM identifier name. The lookup operation then uses the EIM identifier name
to search for an identifier target association for the EIM identifier that
matches the specified target EIM registry definition name. If there is an
identifier target association that matches, the lookup operation returns the
target user identity defined in the target association.</span></li>
<li>The lookup operation checks whether the use of policy associations are
enabled. <span class="br">The lookup operation checks whether the domain
is enabled to allow mapping lookups using policy associations. The lookup
operation also checks whether the target registry is enabled to use policy
associations. If the domain is not enabled for policy associations or the
registry is not enabled for policy associations, then the lookup operation
ends without returning a target user identity.</span></li>
<li>The lookup operation checks for certificate filter policy associations. <span class="br">The lookup operation checks whether the source registry is
an X.509 registry type. If it is an X.509 registry type, the lookup operation
checks whether there is a certificate filter policy association that matches
the source and target registry definition names. The lookup operation checks
whether there are certificates in the source X.509 registry that satisfy the
criteria specified in the certificate filter policy association. If there
is a matching policy association and there are certificates that satisfy the
certificate filter criteria, the lookup operation returns the appropriate
target user identity for that policy association.</span></li>
<li>The lookup operation checks for default registry policy associations.<span class="br">The lookup operation checks whether there is a default registry
policy association that matches the source and target registry definition
names. If there is a matching policy association, the lookup operation returns
the appropriate target user identity for that policy association.</span></li>
<li>The lookup operation checks for default domain policy associations.<span class="br">The lookup operation checks whether there is a default domain
policy association defined for the target registry definition. If there is
a matching policy association, the lookup operation returns the associated
target user identity for that policy association.</span></li>
<li>The lookup operation is unable to return any results.</li>
</ol>
</div>
<p>To learn more about Enterprise Identity Mapping lookup operations view
the following examples:</p>
</div>
<div>
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="rzalvlookupoperationexamplesexample1.htm">Lookup operation examples: Example 1</a></strong><br />
Use this example to learn how the search flow works for a lookup operation that returns a target user identity from specific identifier associations based on the known user identity.</li>
<li class="ulchildlink"><strong><a href="rzalvlookupoperationexamplesexample2.htm">Lookup operation examples: Example 2</a></strong><br />
Use this example to learn how the search flow works for a lookup operation that returns a target user identity from specific identifier associations based on the known Kerberos principal.</li>
<li class="ulchildlink"><strong><a href="rzalvlookupoperationexamplesexample3.htm">Lookup operation examples: Example 3</a></strong><br />
Use this example to learn how the search flow works for a lookup operation that returns a target user identity from a default registry policy association.</li>
<li class="ulchildlink"><strong><a href="rzalvlookupoperationexamplesexample4.htm">Lookup operation examples: Example 4</a></strong><br />
Use this example to learn how the search flow works for a lookup operation that returns a target user identity in a user registry that is a member of a group registry definition.</li>
<li class="ulchildlink"><strong><a href="rzalvambiguousgroupregistry.htm">Lookup operation examples: Example 5</a></strong><br />
Use this example to learn about lookup operations returning ambiguous results that involve group registry definitions.</li>
</ul>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzalveservercncpts.htm" title="Use this information learn about important EIM concepts that you need to understand to implement EIM successfully.">Enterprise Identity Mapping concepts</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzalveserverdomain.htm" title="This information explains how to use a domain to store all your identifiers.">EIM domain</a></div>
<div><a href="rzalv_policy_associations.htm" title="Use this information to learn about how to use policy associations to describe a relationship between multiple user identities and a single user identity in a user registry.">Policy associations</a></div>
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink