Default registry policy associations

A default registry policy association is one type of policy association that you can use to create many-to-one mappings between user identities.

You can use a default registry policy association to map a source set of multiple user identities (in this case those in a single registry) to a single target user identity in a specified target user registry. In a default registry policy association, all users in a single registry are the source of the policy association and are mapped to a single target registry and target user.

To use default registry policy associations, you must enable mapping lookups using policy associations for the domain. You must also enable mapping lookups for the source registry and enable mapping lookups and the use of policy associations for the target user registry of the policy association. When you configure this enablement, the user registries in the policy association can participate in mapping lookup operations.

The default registry policy association takes effect when a mapping lookup operation is not satisfied by identifier associations, certificate filter policy associations, or other default registry policy associations for the target registry. The result is that all user identities in the source registry are mapped to the single target user identity as specified by the default registry policy association.

For example, you create a default registry policy association that has a source registry of my_realm.com, which are principals in a specific Kerberos realm. For this policy association, you also specify a target user identity of general_user1 in target registry IBMi_system_reg, which is a specific user profile in an IBM® i user registry. In this case, you have not created any identifier associations or policy associations that apply to any of the user identities in the source registry. Therefore, when IBMi_system_reg is specified as the target registry and my_realm.com is specified as the source registry in lookup operations, the default registry policy association ensures that the target user identity of general_user1 is returned for all user identities in my_realm.com that do not have any specific identifier associations or certificate filter policy associations defined for them.

You specify these three things to define a default registry policy association:

• Source registry. This is the registry definition that you want the policy association to use as the source of the mapping. All the user identities in this source user registry are to be mapped to the specified target user of the policy association.
• Target registry. The target registry that you specify is the name of an Enterprise Identity Mapping (EIM) registry definition. The target registry must contain the target user identity to which all user identities in the source registry are to be mapped.
• Target user. The target user is the name of user identity that is returned as the target of an EIM mapping lookup operation based on this policy association.

You can define more than one default registry policy association. If two or more policy associations with the same source registry refer to the same target registry, you must define unique lookup information for each of these policy associations to ensure that mapping lookup operations can distinguish among them. Otherwise, mapping lookup operations may return multiple target user identities. As a result of these ambiguous results, applications that rely on EIM may not be able to determine the exact target identity to use.

Because you can use policy associations in a variety of overlapping ways, you should have a thorough understanding of EIM mapping policy support and how lookup operations work before you create and use policy associations.