EIM domain

An Enterprise Identity Mapping (EIM) domain is a directory within a Lightweight Directory Access Protocol (LDAP) server that contains EIM data for an enterprise.

An EIM domain is the collection of all the EIM identifiers, EIM associations, and user registries that are defined in that domain, as well as access control for the data. Systems (EIM clients) participate in the domain by using the domain data for EIM lookup operations.

An EIM domain is different from a user registry. A user registry defines a set of user identities known to and trusted by a particular instance of an operating system or application. A user registry also contains the information needed to authenticate the user of the identity. Additionally, a user registry often contains other attributes such as user preferences, system privileges, or personal information for that identity.

In contrast, an EIM domain refers to user identities that are defined in user registries. An EIM domain contains information about the relationship between identities in various user registries (user name, registry type, and registry instance) and the actual people or entities that these identities represent.

Figure 2 shows the data that is stored within an EIM domain. This data includes EIM identifiers, EIM registry definitions, and EIM associations. EIM data defines the relationship between user identities and the people or entities that these identities represent in an enterprise.

Figure 1. EIM domain and the data that is stored within the domain
Example of the information that is stored in an EIM domain

EIM data includes:

EIM registry definitions
Each EIM registry definition that you create represents an actual user registry (and the user identity information it contains) that exists on a system within the enterprise. Once you define a specific user registry in EIM, that user registry can participate in the EIM domain. You can create two types of registry definitions, one type refers to system user registries and the other type refers to application user registries.

EIM identifiers
Each EIM identifier that you create uniquely represents a person or entity (such as a print server or a file server) within an enterprise. You can create an EIM identifier when you want to have one-to-one mappings between the user identities that belong to a person or entity to whom the EIM identifier corresponds.

EIM associations
The EIM associations that you create represent relationships between user identities. You must define associations so that EIM clients can use EIM APIs to perform successful EIM lookup operations. These EIM lookup operations search an EIM domain for defined associations. There are two different types of associations that you can create:

Identifier associations
Identifier associations allow you to define a one-to-one relationship between user identities through an EIM identifier defined for an individual. Each EIM identifier association that you create represents a single, specific relationship between an EIM identifier and an associated user identity within an enterprise. Identifier associations provide the information that ties an EIM identifier to a specific user identity in a specific user registry and allow you to create one-to-one identity mapping for a user. Identity associations are especially useful when individuals have user identities with special authorities and other privileges that you want to specifically control by creating one-to-one mappings between their user identities.

Policy associations
Policy associations allow you to define a relationship between a group of user identities in one or more user registries and an individual user identity in another user registry. Each EIM policy association that you create results in a many-to-one mapping between the source group of user identities in one user registry and a single target user identity. Typically, you create policy associations to map a group of users who all require the same level of authorization to a single user identity with that level of authorization.