Adding lookup information to a target user identity

Lookup information is optional unique identifying data for the target user identity defined in an association. This association can be either an identifier target association or a policy association.

Lookup information is necessary only when a mapping lookup operation can return more than one target user identity. This situation can create problems for Enterprise Identity Mapping (EIM) enabled applications, including IBM® i applications and products, that are not designed to handle these ambiguous results.

When necessary, you can add unique lookup information for each target user identity to provide more detailed identifying information to further describe each target user identity. If you define lookup information for a target user identity, this lookup information must be provided to the mapping lookup operation to ensure that the operation can return a unique target user identity. Otherwise, applications that rely on EIM may not be able to determine the exact target identity to use.

Note: If you do not want EIM lookup operations to be able to return more than one target user identity, then you should correct your EIM associations configuration instead of using looking information to resolve the situation. Review Troubleshooting EIM mapping problems for more detailed information.

How you add lookup information to further define a target user identity varies based on whether the target user identity is defined in an identifier association or a target association. Regardless of the method that you use to add the lookup information, the information that you specify is tied to the target user identity, not the identifier associations or policy associations in which that user identity is found.

Add lookup information to a target user identity in an identifier association

To add lookup information to the target user identity in an identifier association, you must be connected to the EIM domain in which you want to work and you must have EIM access control at one of these levels:

Registry administrator.
Administrator for selected registries (for the registry definition that refers to the user registry that contains the target user identity).
EIM administrator.

To add lookup information to the target user identity in an identifier association, complete these steps:

From IBM Navigator for i, expand Security > All Tasks > Enterprise Identity Mapping.
Click Domain Management.
Right-click the EIM domain in which you want to work and select Open.
- If the EIM domain you want to work with is not listed under Domain Management, review Adding an EIM domain to the Domain Management folder.
- If you are not currently connected to the EIM domain in which you want to work, review Connect to the EIM domain controller.
Right-click Identifiers and select Open to display the list of EIM identifiers for the domain.
Right-click an EIM identifier and select Properties.
Select the Associations page, select the target association to which you want to add lookup information, and click Details. Click ? for help, if necessary, to determine what information to specify for each field.
In the Association - Details dialog, specify the Lookup information that you want to use to further identify the target user identity in this association and click Add.
Repeat this step for each lookup information entry that you want to add to the association.
Click OK to save your changes and to return to the Association - Details dialog.
Click OK to exit.

Add lookup information to a target user identity in a policy association

To add lookup information to the target user identity in a policy association, you must be connected to the EIM domain in which you want to work and you must have EIM access control at one of these levels:

Registry administrator.
Administrator for selected registries (for the registry definition that refers to the user registry that contains the target user identity (ID).
EIM administrator.

To add lookup information to the target user identity in a policy association, complete these steps:

From IBM Navigator for i, expand Security > All Tasks > Enterprise Identity Mapping.
Click Domain Management.
Right-click the EIM domain in which you want to work and select Mapping Policy.
- If the EIM domain you want to work with is not listed under Domain Management, review Adding an EIM domain to the Domain Management folder.
- If you are not currently connected to the EIM domain in which you want to work, review Connect to the EIM domain controller.
In the Mapping Policy dialog, use the pages to view policy associations for the domain.
Find and select the policy association for the target registry that contains the target user identity for which you want to add lookup information.
Click Details to display the appropriate Policy Association - Details dialog for the type of policy association that you selected. Click ? for help, if necessary, to determine what information to specify for each field.
Specify the Lookup information that you want to use to further identify the target user identity in this policy association and click Add. Repeat this step for each lookup information entry that you want to add to the association.
Click OK to save your changes and to return to the original Policy Association - Details dialog.
Click OK to exit.