EIM access control

An Enterprise Identity Mapping (EIM) user is a user who possesses EIM access control based on their membership in a predefined Lightweight Directory Access Protocol (LDAP) user group for a specific domain.

Specifying EIM access control for a user adds that user to a specific LDAP user group for a particular domain. Each LDAP group has authority to perform specific EIM administrative tasks for that domain. Which and what type of administrative tasks, including lookup operations, an EIM user can perform is determined by the access control group to which the EIM user belongs.

Note: To configure EIM, you need to prove that you are trusted within the context of the network, not by one specific system. Authorization to configure EIM is not based on your IBM® i user profile authority, but rather on your EIM access control authority. EIM is a network resource, not a resource for any one particular system; consequently, EIM doesn't recognize IBM i-specific special authorities such as *ALLOBJ and *SECADM for configuration. Once EIM is configured, however, authorization to perform tasks can be based on a number of different user types, including IBM i user profiles. For example, the IBM Tivoli® Directory Server for IBM i treats IBM i profiles with *ALLOBJ and *IOSYSCFG special authority as directory administrators.

Only users with EIM administrator access control can add other users to an EIM access control group or change other users access control settings. Before a user can become a member of an EIM access control group, that user must have an entry in the directory server that acts as the EIM domain controller. Also, only specific types of users can be made a member of an EIM access control group. The user identity can be in the form of a Kerberos principal, an LDAP distinguished name, or an IBM i user profile so long as the user identity is defined to the directory server.

Note: To have the Kerberos principal user type available in EIM, network authentication service must be configured on the system. To have the IBM i user profile type available in EIM, you must configure a system object suffix on the directory server. This allows the directory server to reference IBM i system objects, such as IBM i user profiles.

The following are brief descriptions of the functions that each EIM authority group can perform:

Lightweight Directory Access Protocol (LDAP) administrator

The LDAP administrator is a special distinguished name (DN) in the directory that is an administrator for the entire directory. Thus, the LDAP administrator has access to all EIM administrative functions, as well as access to the entire directory. A user with this access control can perform the following functions:

  • Create a domain.
  • Delete a domain.
  • Create and remove EIM identifiers.
  • Create and remove EIM registry definitions.
  • Create and remove source, target, and administrative associations.
  • Create and remove policy associations.
  • Create and remove certificate filters.
  • Enable and disable the use of policy associations for a domain.
  • Enable and disable mapping lookups for a registry.
  • Enable and disable the use of policy associations for a registry.
  • Perform EIM lookup operations.
  • Retrieve identifier associations, policy associations, certificate filters, EIM identifiers, and EIM registry definitions.
  • Add, remove, and list EIM access control information.
  • Change and remove credential information for a registry user.

EIM administrator

Membership in this access control group allows the user to manage all of the EIM data within this EIM domain. A user with this access control can perform the following functions:

  • Delete a domain.
  • Create and remove EIM identifiers.
  • Create and remove EIM registry definitions.
  • Create and remove source, target, and administrative associations.
  • Create and remove policy associations.
  • Create and remove certificate filters.
  • Enable and disable the use of policy associations for a domain.
  • Enable and disable mapping lookups for a registry.
  • Enable and disable the use of policy associations for a registry.
  • Perform EIM lookup operations.
  • Retrieve identifier associations, policy associations, certificate filters, EIM identifiers, and EIM registry definitions.
  • Add, remove, and list EIM access control information.
  • Change and remove credential information for a registry user.

Identifier administrator

Membership in this access control group allows the user to add and change EIM identifiers and manage source and administrative associations. A user with this access control can perform the following functions:

  • Create EIM identifiers.
  • Add and remove source associations.
  • Add and remove administrative associations.
  • Perform EIM lookup operations.
  • Retrieve identifier associations, policy associations, certificate filters, EIM identifiers, and EIM registry definitions.

EIM mapping operations

Membership in this access control group allows the user to conduct EIM mapping lookup operations. A user with this access control can perform the following functions:

  • Perform EIM lookup operations.
  • Retrieve identifier associations, policy associations, certificate filters, EIM identifiers, and EIM registry definitions.

Registry administrator

Membership in this access control group allows the user to manage all EIM registry definitions. A user with this access control can perform the following functions:

  • Add and remove target associations.
  • Create and remove policy associations.
  • Create and remove certificate filters.
  • Enable and disable mapping lookups for a registry.
  • Enable and disable the use of policy associations for a registry.
  • Perform EIM lookup operations.
  • Retrieve identifier associations, policy associations, certificate filters, EIM identifiers, and EIM registry definitions.

Administrator for selected registries

Membership in this access control group allows the user to manage EIM information only for a specified user registry definition (such as Registry_X). Membership in this access control group also allows the user to add and remove target associations only for a specified user registry definition. To take full advantage of mapping lookup operations and policy associations, a user with this access control should also have EIM mapping operations access control. This access control allows a user to perform the following functions for specific authorized registry definitions:

  • Create, remove, and list target associations for the specified EIM registry definitions only.
  • Add and remove default domain policy associations.
  • Add and remove policy associations for the specified registry definitions only.
  • Add certificate filters for the specified registry definitions only.
  • Enable and disable mapping lookups for the specified registry definitions only.
  • Enable and disable the use of policy associations for the specified registry definitions only.
  • Retrieve EIM identifiers.
  • Retrieve identifier associations and certificate filters for the specified registry definitions only.
  • Retrieve EIM registry definition information for the specified registry definitions only.
Note: If the specified registry definition is a group registry definition, a user with Administrator for selected registries access control has administrator access to the group only, not to the members of the group.

A user with both Administrator for selected registries access control and EIM mapping lookup operations access control gains the ability to perform the following functions:

  • Add and remove policy associations only for the specified registries.
  • Perform EIM lookup operations.
  • Retrieve all identifier associations, policy associations, certificate filters, EIM identifiers, and EIM registry definitions.

Credential lookup

This access control group allows the user to retrieve credential information, such as passwords.

If a user with this access control wants to perform an additional EIM operation, the user needs to be a member of the access control group that provides authority for the desired EIM operation. For example, if a user with this access control wants to retrieve the target association from a source association, the user needs to be a member of one of the following access control groups:

  • EIM administrator
  • Identifier administrator
  • EIM mapping lookup operations
  • Registry administrator