Adding Additional Group Types

Perform the following steps to configure additional group types.

  1. After upgrading IdentityIQ, go to the account schema of the application and save the application.

  2. Add the required group schema.

    The following is a sample schema for a sudoRole:

    Copy 
    <Schema aggregationType="group" created="" displayAttribute="cn" 
    featuresString="PROVISIONING" 
    id="" identityAttribute="dn" instanceAttribute="" modified="" 
    nativeObjectType="sudoRole" 
    objectType="sudoRole">
          <AttributeDefinition name="cn" type="string">
              <Description>common name(s) for which the entity is 
              known by</Description>
          </AttributeDefinition>
          <AttributeDefinition name="dn" type="string">
             <Description>Directory Path</Description>
          </AttributeDefinition>
          <AttributeDefinition name="ou" type="string">
             <Description>organizational unit this object belongs to</Description>
          </AttributeDefinition>
          <AttributeDefinition name="description" type="string">
             <Description>descriptive information</Description>
          </AttributeDefinition>
          <AttributeDefinition  multi="true" name="sudoUser" type="string">
             <Description>unique member of a sudoRole </Description>
          </AttributeDefinition>
          <Attributes>
            <Map>
              <entry key="groupMemberAttribute" value="sudoUser"/>
              <entry key="memberAttribute">
                <value>
                  <List>
                    <String>cn</String>
                    <String>uid</String>
                  </List>
                </value>
              </entry>        
            </Map>
          </Attributes>
    </Schema>
  3. Add the entitlement attribute to the account schema.

For a new group schema, you can add entitlement attributes in the account schema from the IdentityIQ interface. Ensure that the following steps are performed after creating an entitlement attribute:

  1. Change the entitlement attribute type from String to the new group schema's objectType.

  2. Mark the entitlement attribute as Managed, Entitlement, and Multivalued.

If nisnet and posix groups are configured as entitlements, you can manage them on an upgraded application as groups. Perform the following steps:

  1. Add the nisnet and posix group schemas from the application Debug menu and save the application.

    Note
    Name of the schema objectType must match with objectType="nisNetgroup" or objectType="posixgroup" respectively.

  2. In IdentityIQ, go to the application's account schema and change the entitlement attribute type from String to posixgroup or nisNetgroup accordingly and save the application.

Note

The multigroup application supports static groups as follows:

  • groupofUniqueNames

  • groupOfNames

  • nisNetgroup

  • posixgroup

  • sudoRole

For nisNetgroup memberships in the nisNetgroupTriple attribute, all types of braces are supported. By default, curly braces ({) are supported.

For example:

{host1,user1,} (host1,user1,), [host1,user1,], is a supported format. Whereas <host1,user1,> is an unsupported format.

If user1 has nisnetgroup memberships in the format using anything other than curly braces, round braces, or square braces, then this entitlement is not retrieved.

If you want to use angular braces (<) the format should be &lt;.

The nisNetgroup entitlement is added only with the user portion of the nisNetgroupTriple attribute value. The domain and host counterpart are not incorporated.

For example, on Tivoli, {,user1,} is the value of the nisNetgroupTriple attribute after adding an entitlement for user1 on a nisNetgroup.