Lookup operation examples: Example 5
Use this example to learn about lookup operations returning ambiguous results that involve group registry definitions.
In some cases a mapping lookup operation returns ambiguous results when more than one target user identity matches the specified lookup criteria. Because an ambiguous results situation could cause applications that use EIM to fail or give unexpected results, take action to prevent or resolve the situation.
In particular, be aware that lookup operations can return ambiguous results when you specify an individual user registry definition as a member of more than one group registry definition. If an individual user registry definition is a member of multiple group registry definitions and you create individual EIM identifier associations or policy associations that use a group registry definition as either the source registry or target registry, lookup operations might return ambiguous results. For example, you might use two different user identities for two different types of system tasks that you perform: you perform tasks as a security administrator that require a user identity with QSECOFR authority, and you perform typical user tasks that require a user identity with QUSER authority. If both of your user identities reside within the individual user registry that is a member of two different group registry definitions and you create target identifier associations to both of the target user identities, lookup operations finds both of the target user identities and consequently returns ambiguous results.
The following example describes how this problem can occur when you specify an individual user registry as a member of two group registry definitions and you specify one of the group registry definitions as the target registry in two individual EIM identifier associations.
Example:
John Day has the following user identities within a system registry definition called System B user registry:
- JOHND
- DAYJO
System B user registry is a member of the following group registry definitions:
- Group 1
- Group 2
EIM identifier John Day has two target associations with the following specifications:
- Target association: Target registry is Group 1 which contains user identity JOHND in System B user registry.
- Target association: Target registry is Group 2 which contains user identity DAYJO in System B user registry.
In this situation, the mapping lookup operation returns ambiguous results because more than one target user identity matches the specified lookup criteria; both user identities (JOHND and DAYOJO) match the specified lookup criteria.
Similarly, mapping lookup operations might return ambiguous results if you create two policy associations (rather than individual EIM identifier associations) that use group registry definitions as target registries.
To prevent lookup operations from returning ambiguous results that involve group registry definitions, consider the following guidelines:
- Specify an individual user registry as a member of no more than one group registry definition.
- Use caution when creating individual EIM identifier associations or policy associations that use group registry definitions as either the source registry or target registry. Verify that the group registry definition is a member of no more than one group registry definition. Be aware that if a member of the target group registry definition is also a member of another group registry definition, lookup operations can return ambiguous results.
- If you have an ambiguous results situation where you specify an individual registry definition as a member of multiple group registry definitions, and you create an individual identifier association or policy association that uses one of those group registry definitions as either the source registry or target registry, you can define unique lookup information for each target user identity in each association to further refine the search.
You might define the following lookup information for each target user identity in the example about John Day:
- For JOHND: Define Administrator as the lookup information
- For DAYJO: Define User as the lookup information
However, base i5/OS® applications such as iSeries™ Access for Windows® can not use lookup information to distinguish among multiple target user identities returned by a lookup operation. Consequently, you might consider redefining associations for the domain to ensure that a mapping lookup operation can return a single target user identity to ensure that base i5/OS applications can successfully perform lookup operations and map identities.
Parent topic:
EIM lookup operations
Related concepts
Group registry definitions