Shared user registry overview
If you configure IBM® InfoSphere® Information Server to use an external user registry, you might be able to share the user registry between InfoSphere Information Server and the InfoSphere Information Server engine.
Sharing the user registry allows the application server, InfoSphere Information Server, and the InfoSphere Information Server engine to access the same user names, passwords, and group definitions. When the user registry is shared, authentication to the engine occurs silently by using the same credentials (user ID and password) that the user uses to authenticate with InfoSphere Information Server. In this mode, no credential mapping is required.
You can share the user registry in any of the following scenarios:
- The engine tier and the services tier are installed
on the same computer, and InfoSphere Information Server is
configured to use the local operating system user registry. In this
case, they can share the local operating system user registry. Note: Sharing of the local operating system user registry is not supported in installations that include WebSphere® Application Server clustering.
The engine tier and the services tier both use the same Lightweight Directory Access Protocol (LDAP) user registry for authentication. In this scenario, you must configure Pluggable Authentication Module (PAM) for the engine.
The engine tier and the services tier are installed on separate computers, but both use the same Microsoft Windows Active Directory user registry (which is an LDAP user registry) for authentication.
The engine tier and the services tier are installed on separate computers, but the computers are within the same domain. This configuration may have performance issues, and is not recommended.
Note: This configuration is not supported in installations that include WebSphere Application Server clustering.
If the engine tier and services tier cannot share a user registry, you must create a mapping between credentials in the user registry that InfoSphere Information Server is using and valid user credentials that exist in the local operating system user registry on the computer where the engine is installed.
The engine tier cannot use the InfoSphere Information Server internal user registry. If InfoSphere Information Server is configured to use the internal user registry, you must configure credential mapping.
The following figure shows a configuration in which the engine tier and services tier are installed on the same computer. They both share the local operating system user registry. Specifically, the InfoSphere Information Server engine is configured to use the local operating system user registry. InfoSphere Information Server is configured to use the WebSphere Application Server user registry and then access the same operating system user registry.

The following figure shows a configuration in which the engine tier and services tier are installed on separate UNIX computers. They both share a common LDAP user registry. Specifically, the InfoSphere Information Server engine is configured to use the LDAP user registry. InfoSphere Information Server is configured to use the WebSphere Application Server user registry and then access the LDAP user registry. To provide the interface between the engine and the LDAP user registry, Pluggable Authentication Module (PAM) is configured on the engine tier computer.

After you share the user registry,
you must still grant the engine tier operating system users the required
permissions. See Permissions
and groups configuration.