Azure PIM Attributes
Add the following attributes to connector schema.
|
Name |
Type |
Details |
|---|---|---|
| azureEligibleRoles | String : Multivalued : Entitlement |
List of Azure Roles for which user is eligible |
| azureADEligibleRoles | String : Multivalued : Entitlement |
List of Azure AD Roles for which user is eligible |
| azureActiveRoles | String : Multivalued : Entitlement |
List of Azure Roles assigned to user |
|
azureADActiveRoles |
String : Multivalued : Entitlement |
List of Azure AD Roles assigned to user |
Membership Aggregation
Membership Aggregation is part of account aggregation. PIM Membership aggregation will be added to existing membership aggregation flow and will be triggered only if flag is ON and required attributes are present in account schema Memberships will be aggregated if flag is true and account attributes are present in schema.
For example:
-
If the enablePIM attribute is true and only Azure AD Roles : Active is present in schema, only Azure AD Roles membership for active assignments are aggregated.
-
PIM Memberships are aggregated per page. For example, membership is fetched for users aggregated in a page.
-
PIM Memberships for Azure resources are aggregated if Azure Management is enabled and respective attributes are present in the schema.
Membership Aggregation of PIM roles for AzureAD groups
Azure / Azure AD PIM Role assignments / membership for Azure AD groups will be visible as entitlement attributes after running group / entitlement aggregation ONLY when relevant role attributes (mentioned above as Azure PIM attributes) are added to group schema and PIM flag is true.
Note
The PIM membership for such groups would show only the native identity of the assigned PIM roles.
Group Schema Objects
The following new group schema objects are supported.
Azure AD Eligible Role
Object Type is azureADEligibleRole, Identity Attribute is id, and the Display Attribute is displayName.
displayName
Eligible role display name.
id
Azure AD eligible role ID.
This is an Account ID which must not be changed.
isBuiltIn
Indicates whether role is custom or built-in.
roleName
Name of the role.
scope
Scope at which role can be assigned.
Azure AD Active Role
Object Type is azureADActiveRole, Identity Attribute is id, and the Display Attribute is displayName.
displayName
Active AD role display name.
id
Azure AD active role ID.
This is an Account ID which must not be changed.
isBuiltIn
Indicates whether role is custom or built-in.
roleName
Name of the role.
scope
Scope at which role can be assigned.
Azure Active Role
Object Type is azureActiveRole, Identity Attribute is id, and the Display Attribute is displayName.
displayName
Active role display name.
id
Azure active role ID.
This is an Account ID which must not be changed.
isBuiltIn
Indicates whether role is custom or built-in.
roleName
Name of the role.
scope
Scope at which role can be assigned.
Azure Eligible Role
Object Type is azureEligibleRole, Identity Attribute is id , and the Display Attribute is displayName.
displayName
Eligible role display name.
id
Azure eligible role ID.
This is an Account ID which must not be changed.
isBuiltIn
Indicates whether role is custom or built-in.
roleName
Name of the role.
scope
Scope at which role can be assigned.