EIM - Enterprise Identity Mapping

Enhanced Definition

Enterprise Identity Mapping (EIM) is an IBM technology designed to manage and map a single user identity across multiple distinct user identities on different systems and applications within an enterprise. On z/OS, EIM is crucial for integrating mainframe security (e.g., RACF) with distributed security environments, enabling cross-platform authentication and authorization. Enterprise Identity Mapping (EIM) is an IBM technology that allows a single user identity (representing a real person) to be mapped to multiple user identities across various operating systems and applications within an enterprise. In the z/OS context, EIM facilitates the correlation of external user identities (e.g., from distributed systems, Kerberos, or digital certificates) to specific z/OS user IDs, enabling a unified view of a user across hybrid IT environments. Its primary purpose is to simplify identity management and support single sign-on (SSO) scenarios. EIM (Enterprise Identity Mapping) is an IBM technology that provides a centralized mechanism to map a single user identity from one system or application to multiple user identities across different operating systems and applications within an enterprise. In the mainframe context, EIM facilitates the correlation of a user's distributed identity (e.g., from Windows, Linux, or a web application) to their corresponding z/OS user ID, enabling consistent identity resolution across heterogeneous environments.

Key Characteristics

- Cross-Platform Identity Resolution: Allows a logical enterprise user to have different user IDs on various systems (e.g., a RACF user ID on z/OS, an Active Directory ID on Windows, an LDAP entry) and maps them to a single enterprise identity.
- Centralized Mapping Store: Utilizes an LDAP directory (such as IBM Security Directory Server or z/OS LDAP Server) to store all identity mappings, providing a central point for administration and lookup.
- API-Driven Integration: Provides APIs (e.g., EIM C API, GSS-API for Kerberos) that z/OS applications and middleware can use to query and resolve enterprise identities to local system user IDs.
- Support for Kerberos Authentication: Frequently used in conjunction with Kerberos to facilitate Single Sign-On (SSO) between distributed systems and z/OS applications, mapping Kerberos principals to z/OS user IDs.
- Policy-Based Mapping: Supports various types of identity associations, including user-defined associations (managed by the user) and administrative associations (managed by administrators), allowing flexible mapping policies.
- Auditing Capabilities: Provides mechanisms to log and audit EIM lookup requests and mapping changes, which is essential for security compliance and troubleshooting.

Use Cases

- Single Sign-On (SSO) for z/OS: Enables users to authenticate once to a distributed system (e.g., a Windows domain) and then access z/OS resources (like CICS transactions, DB2 data, or USS applications) without re-entering credentials, using their mapped z/OS identity.
- Application Integration: Facilitates secure communication and identity propagation between z/OS applications and distributed applications where the same logical user might have different local system IDs.
- Simplified User Management: Reduces the administrative overhead of managing multiple distinct user IDs for the same individual across an enterprise by centralizing the identity mapping process.
- Cross-Platform Auditing: Provides a consistent way to track user activity across heterogeneous systems, even when identities are mapped, which is vital for regulatory compliance.

Related Concepts

EIM works in conjunction with Security Servers like RACF (Resource Access Control Facility) on z/OS, providing the mechanism to link a RACF user ID to an identity in a distributed environment. It relies heavily on LDAP directories (such as z/OS LDAP Server) to store its mapping information. When implementing Kerberos authentication for z/OS, EIM is a critical component for mapping the Kerberos principal to the corresponding z/OS user ID, thereby enabling Single Sign-On (SSO). It integrates with various z/OS subsystems and applications (e.g., CICS, DB2, IMS, z/OS UNIX System Services) that require cross-platform identity resolution.

Best Practices:

Secure the EIM LDAP Server: Ensure the LDAP directory holding EIM mappings is highly available, regularly backed up, and protected with robust access controls and TLS/SSL encryption for data in transit.
Define Clear Mapping Policies: Establish explicit and consistent policies for identity mapping to prevent ambiguity and ensure correct identity resolution, especially for privileged or administrative users.
Regularly Audit Mappings and Activity: Periodically review and audit EIM mappings and lookup activity to identify potential security vulnerabilities, misconfigurations, or unauthorized access attempts.
Thorough Testing: Rigorously test EIM configurations and identity mappings in a non-production environment before deployment to production to ensure seamless integration and accurate identity resolution.
Integrate with Enterprise IAM: Align EIM administration and mapping management with existing enterprise Identity and Access Management (IAM) processes and tools to maintain consistency and reduce complexity.