(Optional) Postconfiguration considerations

Now that you finished this scenario, the only EIM user you have defined that EIM can use is the DN for the LDAP administrator.

The LDAP administrator DN that you specified for the system user on System A has a high level of authority to all data on the directory server. Therefore, you might consider creating one or more DNs as additional users that have more appropriate and limited access control for EIM data. The number of additional EIM users that you define depends on your security policy's emphasis on the separation of security duties and responsibilities. Typically, you might create at least the two following types of DNs:

A user that has EIM administrator access control
This EIM administrator DN provides the appropriate level of authority for an administrator who is responsible for managing the EIM domain. This EIM administrator DN can be used to connect to the domain controller when managing all aspects of the EIM domain by means of IBM® Navigator for i.
At least one user that has all of the following access controls:
- Identifier administrator
- Registry administrator
- EIM mapping operations
This user provides the appropriate level of access control required for the system user that performs EIM operations on behalf of the operating system.

Note: To use this new DN for the system user instead of the LDAP administrator DN, you must change the EIM configuration properties for each system. For this scenario, you need to change the EIM configuration properties for any IBM i model that you set up.