Postconfiguration considerations
The number of additional EIM users that you define depends on your security policy's emphasis on the separation of security duties and responsibilities.
Now that you finished this scenario, the only EIM user
you have defined that EIM can use is the DN for the LDAP administrator.
The LDAP administrator DN that you specified for the system user on
Systems A and B has a high level of authority to all data on the directory
server. Therefore, you might consider creating one or more DNs as
additional users that have more appropriate and limited access control
for EIM data. Typically, you might create at least the two following
types of DNs:
- A user that has EIM administrator access control
This EIM administrator DN provides the appropriate level of authority for an administrator who is responsible for managing the EIM domain. This EIM administrator DN can be used to connect to the domain controller when managing all aspects of the EIM domain by means of IBM® Navigator for i.
- At least one user that has all of the following access controls:
- Identifier administrator
- Registry administrator
- EIM mapping operations
Note: To use this new DN for the system user instead
of the LDAP administrator DN, you must change the EIM configuration
properties for each system. For this scenario, you need to change
the EIM configuration properties for both Systems A and B. See the
information about managing EIM configuration properties to learn how
to change the system user DN.