Lookup information
With Enterprise Identity Mapping (EIM) you can provide optional data called lookup information to further identify a target user identity. This target user identity can be specified either in an identifier association or in a policy association.
Lookup information is a unique character string that either the eimGetTargetFromSource
EIM
API or the eimGetTargetFromIdentifier
EIM API can
use during a mapping lookup operation to further refine the search
for the target user identity that is the object of the operation.
Data that you specify for lookup information corresponds to the registry
users additional information parameter for these EIM APIs.
Lookup information is necessary only when a mapping lookup operation can return more than one target user identity. A mapping lookup operation can return multiple target user identities when one or more of the following situations exist:
- An EIM identifier has multiple individual target associations to the same target registry.
- More than one EIM identifier has the same user identity specified in a source association and each of these EIM identifiers has a target association to the same target registry, although the user identity specified for each target association may be different.
- More than one default domain policy association specifies the same target registry.
- More than one default registry policy association specifies the same source registry and the same target registry.
- More than one certificate filter policy association specifies the same source X.509 registry, certificate filter, and target registry.
You can use lookup information to avoid situations where it is possible for mapping lookup operations to return more than one target user identity. To prevent mapping lookup operations from returning multiple target user identities, you must define unique lookup information for each target user identity in each association. This lookup information must be provided to the mapping lookup operation to ensure that the operation can return a unique target user identity. Otherwise, applications that rely on EIM may not be able to determine the exact target identity to use.
For example, you have an EIM identifier named John Day
who
has two user profiles on System A. One of these user profiles is JDUSER
on
System A and another is JDSECADM
, which has security
administrator special authority. There are two target association
for the John Day identifier. One of these target associations is for
the JDUSER
user identity in the target registry of System_A
and
has lookup information of user authority
specified
for JDUSER
. The other target association is for the JDSECADM
user
identity in the target registry of System_A
and has
lookup information of security officer
specified
for JDSECADM
.
If a mapping lookup operation does not specify any lookup information,
the lookup operation returns both the JDUSER
and
theJDSECADM
user identities. If a mapping lookup
operation specifies lookup information of user authority
,
the lookup operation returns the JDUSER
user identity
only. If a mapping lookup operation specifies lookup information of security
officer
, the lookup operation returns the JDSECADM
user
identity only.
Because you can use certificate policy associations and other associations in a variety of overlapping ways, you should have a thorough understanding of both EIM mapping policy support and how lookup operations work before you create and use certificate policy associations.