Developing an identity mapping plan

A critical part of the initial Enterprise Identity Mapping (EIM) implementation planning process requires that you determine how you want to use identity mapping in your enterprise.

There are two methods that you can use to map identities in EIM:

  • Identifier associations describe relationships between an EIM identifier and the user identities in user registries that represent that person. An identifier association creates a direct one-to-one mapping between an EIM identifier and a specific user identity. You can use identifier associations to indirectly define a relationship between user identities through the EIM identifier.

    If your security policy requires a high degree of detailed accountability, you may need to use identifier associations almost exclusively for your identity mapping implementation. Because you use identity associations to create one-to-one mappings for the user identities that users own, you can always determine exactly who performed an action on an object or on the system.

  • Policy associations describe a relationship between multiple user identities and a single user identity in a user registry. Policy associations use EIM mapping policy support to create many-to-one mappings between user identities without involving an EIM identifier.

    Policy associations can be useful when you have one or more large groups of users who need access to systems or applications in your enterprise where you do not want them to have specific user identities for gaining this access. For example, you maintain a Web application that access a specific internal application. You may not want to set up hundreds or thousands of user identities to authenticate users to this internal application. In this situation, you may want to configure identity mapping such that all the users of this Web application are mapped to a single user identity with the minimum level of authorization required to run the application. You can do this type of identity mapping by using policy associations.

You may decide to use identifier associations to provide the best control of the user identities in your enterprise while gaining the largest degree of streamlined password management. Or, you may decide to use a mixture of policy associations and identifier associations to streamline single sign-on, where appropriate, while you maintain specific control over user identities for administrators. Regardless of what type of identity mapping you decide best meets your business needs and properly fits your security policy, you need to create an identity mapping plan to ensure that you implement identity mapping appropriately.

To create an identity mapping plan, you need to do the following: