Default registry policy associations

 

This information explains how to establish a mapping relationship for all the user identities in a single registry.

A default registry policy association is one type of policy association that you can use to create many-to-one mappings between user identities. You can use a default registry policy association to map a source set of multiple user identities (in this case those in a single registry) to a single target user identity in a specified target user registry. In a default registry policy association, all users in a single registry are the source of the policy association and are mapped to a single target registry and target user.

To use default registry policy associations, enable mapping lookups using policy associations for the domain. You must also enable mapping lookups for the source registry and enable mapping lookups and the use of policy associations for the target user registry of the policy association. When you configure this enablement, the user registries in the policy association can participate in mapping lookup operations.

The default registry policy association takes effect when a mapping lookup operation is not satisfied by identifier associations, certificate filter policy associations, or other default registry policy associations for the target registry. The result is that all user identities in the source registry are mapped to the single target user identity as specified by the default registry policy association.

For example, you create a default registry policy association that has a source registry of my_realm.com, which are principals in a specific Kerberos realm. For this policy association, you also specify a target user identity of general_user1 in target registry i5/OS_system_reg, which is a specific user profile in an i5/OS® user registry. In this case, you have not created any identifier associations or policy associations that apply to any of the user identities in the source registry. Therefore, when i5/OS_system_reg is specified as the target registry and my_realm.com is specified as the source registry in lookup operations, the default registry policy association ensures that the target user identity of general_user1 is returned for all user identities in my_realm.com that do not have any specific identifier associations or certificate filter policy associations defined for them.

You specify these three things to define a default registry policy association:

You can define more than one default registry policy association. If two or more policy associations with the same source registry refer to the same target registry, define unique lookup information for each of these policy associations to ensure that mapping lookup operations can distinguish among them. Otherwise, mapping lookup operations may return multiple target user identities. As a result of these ambiguous results, applications that rely on EIM may not be able to determine the exact target identity to use.

Because you can use policy associations in a variety of overlapping ways, you should have a thorough understanding of EIM mapping policy support and how lookup operations work before you create and use policy associations.

You might want to create a default registry policy association with a target user identity that exists within a group registry definition. All users in the source user registry are the source of the policy association and are mapped to a target user identity in a target group registry definition. The user identity that you define in the default registry policy association exists within the members of the group registry definition.

For example, John Day uses the same i5/OS user profile, John_Day, on five different systems: System_B, System_C, System_D, System_E, and System_F. To reduce the amount of work that he must perform to configure EIM mapping, the EIM administrator creates a group registry definition called Group_1. Members of the group registry definition include the registry definition names of System_B, System_C, System_D, System_E, and System_F. Grouping members together enables the administrator to create a single target association to the group registry definition and user identity, rather than multiple associations to the individual registry definitions.

The EIM administrator creates a default registry policy association that has a source registry of my_realm.com, which are principals in a specific Kerberos realm. For this policy association, he also specifies a target user identity of John_Day in target registry Group_1. In this case, no other identifier associations or policy associations apply. Therefore, when Group_1 is specified as the target registry and my_realm.com is specified as the source registry in lookup operations, the default registry policy association ensures that the target user identity of John_Day is returned for all user identities in my_realm.com that do not have any specific identifier associations defined for them.

 

Parent topic:

Policy associations

 

Related concepts


Lookup information
EIM mapping policy support and enablement