EIM Identifier Naming

Enterprise Identity Mapping (EIM) is the technology that allows the IBM i to determine which user profile should be used to establish a connection for a person who has authenticated to an IBM i interface using non-IBM i credentials. EIM is easy to set up, but there is one thing you can do that will save you time and effort later.

A quick overview of EIM will help explain the tip. EIM consists of three categories of information:

1. EIM Identifiers representing people and entities (e.g., service userIDs) within the organization that have user IDs
2. User Registry Definitions representing the various places where userIDs are defined (Active Directory, each IBM i partition, application related user registries, etc.)
3. Identity Mapping Associations which represent the relationship between a specific user ID in a particular user registry and the EIM Identifier with which it is associated

EIM Identifiers consist of an identifier name, an optional description, optional additional information–called aliases in iNavigator–and user ID associations for that identifier. In working with customers implementing SSO, I find the first thought most folks have for naming EIM identifier is to use the name of the person represented by the EIM Identifier.

This makes sense except for one thing: names change. They change due to marriage, divorce, and personal choice. It’s hard to transfer institutional knowledge such as “Jane Doe is really Jane Washington who got married 10 years ago and changed her name” to new administrators. This alone wouldn’t be too big of an issue. However, the only way to change the EIM Identifier name is to delete it. All the other data in or associated with an EIM identifier can be changed, but not the identifier name.

I recommend that employee numbers be used for EIM Identifier names. Most companies use them and they don’t change. If your company doesn’t use employee numbers, I recommend assigning a unique number for each new identifier. If you have 1,000 employees, for example, you might assign “1” to the first identifier created, “2” to the second, and so on. To make displays and reports look a little neater, you might use “0001”, “0002” and so on instead. It doesn’t matter what value is assigned to which identifier as long as it is unique.

So how does an administrator know which EIM identifier represents which person? That’s a great question and there’s an easy answer: Put the person’s full name in the description field. This works great because the EIM management GUI in iNavigator shows the identifier name in the first column and the description in the second column. Better yet, you can sort on either field. So if you’re looking for the identifier for a particular person, just sort on the description field and the names will be in alphabetical order. If you want the names to be sorted on last name, just put the last name first in the description field (e.g. “Botz, Patrick” or “Botz, Patrick S” if you are worried about people that share names like “John J Johnson” and “John E Johnson”). The description field can contain nearly any character you can figure out how to enter from a keyboard, so that shouldn’t be an issue either.

Patrick Botz is President and CTO of Botz & Associates. His expertise includes security strategy, security policy enforcement, password management, single sign-on (SSO), industry and government compliance, and biometrics. He is the architect of the SSO stat! service. Previously he worked as Lead Security Architect at IBM, and he founded the IBM Lab Services security consulting team. You can connect with Pat here.

RELATED STORY

Job User Name And Current Job User