Managing EIM user access control

An Enterprise Identity Mapping (EIM) user is a user who possesses EIM access control based on their membership in predefined Lightweight Directory Access Protocol (LDAP) user groups. Specifying EIM access control for a user adds that user to a specific LDAP user group.

Each LDAP group has authority to perform various EIM administrative tasks in a domain. Which and what type of administrative tasks, including lookup operations, an EIM user can perform is determined by the access control group to which the EIM user belongs.

Only users with either LDAP administrator access control or EIM administrator access control can add other users to an EIM access control group or change access control settings for other users. Before a user can become a member of an EIM access control group, that user must have an entry in the directory server that acts as the EIM domain controller. Also, only specific types of users can be made a member of an EIM access control group: Kerberos principals, distinguished names, andIBM® i user profiles.

Note: To have the Kerberos principal user type available in EIM, network authentication service must be configured on the system. To have the IBM i user profile type available in EIM, you must configure a system object suffix on the directory server. This allows the directory server to reference IBM i system objects, such as IBM i user profiles.

To manage access control for an existing directory server user or to add an existing directory user to an EIM access control group, complete these steps:

  1. From IBM Navigator for i, expand Security > Enterprise Identity Mapping (EIM).
  2. Click Domain Management.
    • If you are not currently connected to the EIM domain controller, a Connect to EIM Domain Controller dialog box is displayed. Enter the connection information to use for the connection to the EIM domain controller. Click OK
  3. Right-click the EIM domain in which you want to work and select Access Control.
  4. In the Edit EIM Access Control dialog box, select the User type to display the fields required to provide identifying information for the user.
  5. Enter the required user information to identify the user for whom you want to manage EIM access control and click Next.
  6. Select one or more Access Control groups for the user and click Complete to add the user to the selected groups.