IBM i user profile considerations for EIM

Being able to perform tasks in Enterprise Identity Mapping (EIM) is not based on your IBM® i user profile authority, but rather on your EIM access control authority.

There are some additional tasks that need to be performed to set up IBM i to use EIM. These additional tasks require you to have an IBM i user profile with the appropriate special authorities.

To set up IBM i to use EIM using IBM Navigator for i, your user profile must have the following special authorities:
  • Security administrator (*SECADM).
  • All object (*ALLOBJ).
  • System configuration (*IOSYSCFG).

IBM i user profile command enhancement for EIM identifiers

Once you configure EIM for your system, you can take advantage of a new parameter for both the Create user profile (CRTUSRPRF) command and the Change user profile (CHGUSRPRF) command, called EIMASSOC. You can use this parameter to define EIM identifier associations for the specified user profile profile for the local registry.

When you use this parameter, you can specify the following information:
  • EIM identifier name, which can be a new name or an existing identifier name.
  • An action option for the association, which can be to add (*ADD), to replace (*REPLACE), or to remove (*REMOVE), the association that you specify.
    Note: Use the *ADD to set up new associations. Use the *REPLACE option, for example, if you previously defined associations to the wrong identifier. The *REPLACE option removes any existing associations of the specified type for the local registry to any other identifiers, and then adds the one that is specified for the parameter. Use the *REMOVE option to remove any specified associations from the specified identifier.
  • The type of identifier association, which can be target, source, both a target and a source, or an administrative association.
  • Whether to create the specified EIM identifier if it does not already exist.

You typically create a target association for an IBM i profile, especially in a single sign-on environment. After you use the command to create the needed target association for the user profile (and the EIM identifier, if necessary), you may need to create a corresponding source association. You can use IBM Navigator for i to create a source association for a another user identity, such as the Kerberos principal with which the user signs on to the network.

When you configured EIM for the system, you specified a user identity and password for the system to use when performing EIM operations on behalf of the operating system. This user identity must have EIM access control authority sufficient for creating identifiers and adding associations.

IBM i user profile passwords and EIM

As an administrator, your primary goal for configuring EIM as part of a single sign-on environment is to reduce the amount of user password management that you must perform for the typical end users in your enterprise. By using the identity mapping that EIM provides in combination with Kerberos authentication, you know that your users will have to perform fewer logons and remember and manage fewer passwords. You benefit because you have fewer calls to manage problems for the mapped user identities, such as calls to reset these passwords when users forget them. However, your security policy password rules are still in effect and you must still manage these user profiles for users whenever the password expires.

To further benefit from your single sign-on environment, you may want to consider changing the password setting for those user profiles that are the target of identity mappings. As the target of an identity mapping, the user no longer needs to provide the password for the user profile when the user accesses an IBM i platform or EIM-enabled IBM i resource. For typical users, you can change the password setting to *NONE so that no password can be used with the user profile. The owner of the user profile no longer needs a password because of identity mapping and single sign-on. By setting the password to *NONE, you benefit further because you and your users no longer have to manage password expiration; additionally, no one can use the profile to directly signon to an IBM i platform or access EIM-enabled IBM i resources. However, you may prefer that administrators continue to have a password value for their user profiles in case they ever need to signon directly to a IBM i platform. For example, if your EIM domain controller is down and identity mapping can not occur, an administrator may need to be able to signon directly to an IBM i platform until the problem with the domain controller is resolved.