EIM registry definitions
An Enterprise Identity Mapping (EIM) registry definition is an entry within EIM that you create to represent an actual user registry that exists on a system within the enterprise. A user registry operates like a directory and contains a list of valid user identities for a particular system or application.
A basic user registry contains user identities and their passwords. One example of a user registry is the z/OS® Security Server Resource Access Control Facility (RACF®) registry. User registries can contain other information as well. For example, a Lightweight Directory Access Protocol (LDAP) directory contains bind distinguished names, passwords, and access controls to data that is stored in LDAP. Other examples of common user registries are the principals in a Kerberos realm or user identities in an Windows Active Directory domain, and the IBM® i user profiles registry.
You can also define user registries that exist within other user registries. Some applications use a subset of user identities within a single instance of a user registry. For example, the z/OS Security Server (RACF) registry can contain specific user registries that are a subset of users within the overall RACF user registry.
EIM registry definitions provide information regarding those user registries in an enterprise. The administrator defines these registries to EIM by providing the following information:
- A unique, arbitrary EIM registry name. Each registry definition represents a specific instance of a user registry. Consequently, you should choose an EIM registry definition name that helps you to identify the particular instance of the user registry. For example, you could choose the TCP/IP host name for a system user registry, or the host name combined with the name of the application for an application user registry. You can use any combination of alphanumeric characters, mixed case, and spaces to create unique EIM registry definition names.
- The type of user registry. There are a number
of predefined user registry types that EIM provides to cover most
operating system user registries. These include:
- Domino® - long name
- Domino - short name
- Kerberos - case sensitive
- - LDAP - short name
- Novell Directory Server
- - Other
- - Other - case sensitive
- IBM i
- Tivoli® Access Manager
- Windows - local
- Windows domain (Kerberos) (This type is case sensitive.)
WebSphere LTPAfor the
System_A_WASapplication registry definition.
In Figure 6, the administrator created EIM system
registry definitions for user registries representing System A, System
B, System C, and a Windows Active Directory that
contains users' Kerberos principals with which users log into their
desk top workstations. In addition, the administrator created an application
registry definition for WebSphere® (R) Lightweight
Third-Party Authentication (LTPA), which runs on System A. The registry
definition name that the administrator uses helps to identify the
specific occurrence of the type of user registry. For example, an
IP address or host name is often sufficient for many types of user
registries. In this example, the administrator uses
the application registry definition name to identify this specific
instance of the WebSphere LTPA application. He also specifies
that the parent system registry for the application registry definition
Figure 6: EIM registry definitions for five user registries in an enterprise