Default domain policy associations

A default domain policy association is one type of policy association that you can use to create many-to-one mappings between user identities.

You can use a default domain policy association to map a source set of multiple user identities (in this case, all users in the domain) to a single target user identity in a specified target user registry. In a default domain policy association, all users in the domain are the source of the policy association and are mapped to a single target registry and target user identity.

To use a default domain policy association, you must enable mapping lookups using policy associations for the domain. You must also enable mapping lookups for the target user registry of the policy association. When you configure this enablement, the user registries in the policy association can participate in mapping lookup operations.

The default domain policy association takes effect when a mapping lookup operation is not satisfied by identifier associations, certificate filter policy associations, or default registry policy associations for the target registry. The result is that all user identities in the domain are mapped to the single target user identity as specified by the default domain policy association.

For example, you create a default domain policy association with a target user identity of John_Day in target registry Registry_xyz and you have not created any identifier associations or other policy associations that map to this user identity. Therefore, when Registry_xyz is specified as the target registry in lookup operations, the default domain policy ensures that the target user identity of John_Day is returned for all user identities in the domain that do not have any other associations defined for them.

You specify these two things to define a default domain policy association:

Target registry. The target registry that you specify is the name of an Enterprise Identity Mapping (EIM) registry definition which contains the user identity to which all user identities in the domain are to be mapped.
Target user. The target user is the name of user identity that is returned as the target of an EIM mapping lookup operation based on this policy association.

You can define a default domain policy association for each registry in the domain. If two or more domain policy associations refer to the same target registry, you must define unique lookup information for each of these policy associations to ensure that mapping lookup operations can distinguish among them. Otherwise, mapping lookup operations may return multiple target user identities. As a result of these ambiguous results, applications that rely on EIM may not be able to determine the exact target user identity to use.

Because you can use policy associations in a variety of overlapping ways, you should have a thorough understanding of EIM mapping policy support and how lookup operations work before you create and use policy associations.

Note: You might want to create a default domain policy association with a target user identity that exists within a group registry definition. All users in the domain are the source of the policy association and are mapped to a target user identity in a target group registry definition. The user identity that you define in the default domain policy association exists within the members of the group registry definition.

For example, John Day uses the same IBM® i user profile, John_Day, on five different systems: System B, System C, System D, System E, and System F. To reduce the amount of work that he must perform to configure EIM mapping, the EIM administrator creates a group registry definition called Group_1. Members of the group registry definition include the registry definition names of System_B, System_C, System_D, System_E, and System_F. Grouping members together enables the administrator to create a single target association to the group registry definition and user identity, rather than multiple associations to the individual registry definitions.

The EIM administrator creates a default domain policy association with a target user identity of John_Day in target registry Group_1. In this case, no other specific identifier associations or policy associations apply. Therefore, when Group_1 is specified as the target registry in lookup operations, the default domain policy ensures that the target user identity of John_Day is returned for all user identities in the domain that do not have any specific identifier associations defined for them.