Creating default registry policy associations

You can use policy associations to create mappings directly between a group of users and a single target user identity.

You want to have all your Microsoft Active Directory users on the Windows server map to the user profile SYSUSERA on System A and to the user profile SYSUSERB on System B. In this case, you can create a default registry policy association that maps all the user identities (for which no identifier associations exist) in the MYCO.COM Kerberos registry to a single IBM® i user profile on System A.

You need two policy associations to accomplish this goal. Each policy association uses the MYCO.COM user registry definition as the source of the association. However, each policy association maps user identities in this registry to different target user identities, depending on which IBM i platform the Kerberos user accesses:
  • One policy association maps the Kerberos principals in the MYCO.COM user registry to a target user of SYSUSERA in the target registry of SYSTEMA.MYCO.COM.
  • The other policy association maps the Kerberos principals in the MYCO.COM user registry to a target user of SYSUSERB in the target registry of SYSTEMB.MYCO.COM.

Use the information from your planning works sheets to create two default registry policy associations.

Before you can use policy associations, you must first enable the domain to use policy associations for mapping lookup operations.

To enable the domain to use policy associations for mapping lookup operations, complete the following steps:

  1. In IBM Navigator for i on System A, expand IBM i Management > Security > All Tasks > Enterprise Identity Mapping.
  2. Click Domain Management.
  3. Right-click MyCoEimDomain, and select Mapping policy.
  4. On the General page, select the Enable mapping lookups using policy associations for domain MyCoEimDomain.