Lookup information

With Enterprise Identity Mapping (EIM) you can provide optional data called lookup information to further identify a target user identity. This target user identity can be specified either in an identifier association or in a policy association.

Lookup information is a unique character string that either the eimGetTargetFromSource EIM API or the eimGetTargetFromIdentifier EIM API can use during a mapping lookup operation to further refine the search for the target user identity that is the object of the operation. Data that you specify for lookup information corresponds to the registry users additional information parameter for these EIM APIs.

Lookup information is necessary only when a mapping lookup operation can return more than one target user identity. A mapping lookup operation can return multiple target user identities when one or more of the following situations exist:

  • An EIM identifier has multiple individual target associations to the same target registry.
  • More than one EIM identifier has the same user identity specified in a source association and each of these EIM identifiers has a target association to the same target registry, although the user identity specified for each target association may be different.
  • More than one default domain policy association specifies the same target registry.
  • More than one default registry policy association specifies the same source registry and the same target registry.
  • More than one certificate filter policy association specifies the same source X.509 registry, certificate filter, and target registry.
Note: A mapping lookup operation that returns more than one target user identity can create problems for EIM-enabled applications, including IBM® i applications and products, that are not designed to handle these ambiguous results. However, base IBM i applications such as IBM i Access Client Solutions can not use lookup information to distinguish among multiple target user identities returned by a lookup operation. Consequently, you might consider redefining associations for the domain to ensure that a mapping lookup operation can return a single target user identity to ensure that base IBM i applications can successfully perform lookup operations and map identities.

You can use lookup information to avoid situations where it is possible for mapping lookup operations to return more than one target user identity. To prevent mapping lookup operations from returning multiple target user identities, you must define unique lookup information for each target user identity in each association. This lookup information must be provided to the mapping lookup operation to ensure that the operation can return a unique target user identity. Otherwise, applications that rely on EIM may not be able to determine the exact target identity to use.

For example, you have an EIM identifier named John Day who has two user profiles on System A. One of these user profiles is JDUSER on System A and another is JDSECADM, which has security administrator special authority. There are two target association for the John Day identifier. One of these target associations is for the JDUSER user identity in the target registry of System_A and has lookup information of user authority specified for JDUSER. The other target association is for the JDSECADM user identity in the target registry of System_A and has lookup information of security officer specified for JDSECADM.

If a mapping lookup operation does not specify any lookup information, the lookup operation returns both the JDUSER and theJDSECADM user identities. If a mapping lookup operation specifies lookup information of user authority, the lookup operation returns the JDUSER user identity only. If a mapping lookup operation specifies lookup information of security officer, the lookup operation returns the JDSECADM user identity only.

Note: If you delete the last target association for a user identity (whether it is an identifier association or a policy association), the target user identity and all lookup information is deleted from the domain as well.

Because you can use certificate policy associations and other associations in a variety of overlapping ways, you should have a thorough understanding of both EIM mapping policy support and how lookup operations work before you create and use certificate policy associations.