i5/OS user profile considerations for EIM
Being able to perform tasks in Enterprise Identity Mapping (EIM) is not based on your i5/OS® user profile authority, but rather on your EIM access control authority.
There are some additional tasks that need to be performed to set up i5/OS to use EIM. These additional tasks require you to have an i5/OS user profile with the appropriate special authorities. To set up i5/OS to use EIM using iSeries™ Navigator, your user profile must have the following special authorities:
- Security administrator (*SECADM).
- All object (*ALLOBJ).
- System configuration (*IOSYSCFG).
i5/OS user profile command enhancement for EIM identifiers
Once you configure EIM for your system, you can take advantage of a new parameter for both the Create user profile (CRTUSRPRF) command and the Change user profile (CHGUSRPRF) command, called EIMASSOC. You can use this parameter to define EIM identifier associations for the specified user profile profile for the local registry. When you use this parameter, you can specify the following information:
- EIM identifier name, which can be a new name or an existing identifier name.
- An action option for the association, which can be to add (*ADD), to replace (*REPLACE), or to remove (*REMOVE), the association that you specify.
Use the *ADD to set up new associations. Use the *REPLACE option, for example, if you previously defined associations to the wrong identifier. The *REPLACE option removes any existing associations of the specified type for the local registry to any other identifiers, and then adds the one that is specified for the parameter. Use the *REMOVE option to remove any specified associations from the specified identifier.
- The type of identifier association, which can be target, source, both a target and a source, or an administrative association.
- Whether to create the specified EIM identifier if it does not already exist.
You typically create a target association for an i5/OS profile, especially in a single signon environment. After you use the command to create the needed target association for the user profile (and the EIM identifier, if necessary), you may need to create a corresponding source association. You can use iSeries Navigator to create a source association for a another user identity, such as the Kerberos principal with which the user signs on to the network.
When you configured EIM for the system, you specified a user identity and password for the system to use when performing EIM operations on behalf of the operating system. This user identity must have EIM access control authority sufficient for creating identifiers and adding associations.
i5/OS user profile passwords and EIM
As an administrator, your primary goal for configuring EIM as part of a single signon environment is to reduce the amount of user password management that perform for the typical end users in your enterprise. By using the identity mapping that EIM provides in combination with Kerberos authentication, you know that your users will have to perform fewer logons and remember and manage fewer passwords. You benefit because you have fewer calls to manage problems for the mapped user identities, such as calls to reset these passwords when users forget them. However, your security policy password rules are still in effect and still manage these user profiles for users whenever the password expires.
To further benefit from your single signon environment, you may want to consider changing the password setting for those user profiles that are the target of identity mappings. As the target of an identity mapping, the user no longer needs to provide the password for the user profile when the user accesses an System i™ model or EIM-enabled i5/OS resource. For typical users, you can change the password setting to *NONE so that no password can be used with the user profile. The owner of the user profile no longer needs a password because of identity mapping and single signon. By setting the password to *NONE, you benefit further because you and your users no longer have to manage password expiration; additionally, no one can use the profile to directly signon to an System i model or access EIM-enabled i5/OS resources. However, you may prefer that administrators continue to have a password value for their user profiles in case they ever need to signon directly to an System i model. For example, if your EIM domain controller is down and identity mapping can not occur, an administrator may need to be able to signon directly to an System i model until the problem with the domain controller is resolved.
Parent topic:
Enterprise Identity Mapping concepts
Related concepts
EIM access control
Related information
Create user profile (CRTUSRPRF) command