Properties of Attributes in Account and Group Schemas

Attribute properties determine how attributes are used and managed in IdentityIQ. For example, you may want some attributes to support multiple values, or to be included in the Entitlement Catalog. Select Edit to open the Advanced Properties dialog to edit the attribute properties for accounts and groups.

Entitlement

Marking an attribute as an entitlement indicates that this is an access right you want to track for your identities (for example, to use in certifications). If you want this attribute to be able to be requested, to have an owner, and to have a description and display name, you must mark also mark it as Managed.

Managed

Attributes designated as Managed can be viewed and managed from the Entitlement Catalog page. Managed attributes can be made requestable, can be assigned an owner (for approvals or entitlement certifications), and can have display names and descriptions that will help users identify and understand them. They can also be used in policies and risk calculations.

When you do a group aggregation, all groups read from the aggregation are automatically included in the entitlement catalog as managed attributes.

Multi-valued

For some attributes, multiple values might be returned during aggregation (for example, an attribute indicating group membership). These should be marked as Multi-valued. Values for attributes flagged as multi-valued are stored as a list. Even objects that have a single value for a multi-value attribute are stored as a single-item list.

Correlation Key

The Correlation Key flag is only used for activity and unstructured data aggregation. If activity aggregation is not being used, Correlation Key should not be selected. This flag specifies attributes that IdentityIQ can use to correlate activity discovered in the activity logs for this application with information stored in Identity Cubes. For information about correlating aggregated accounts to existing identities, see Correlation in Application Concepts.

For example, activity logs might contain the full name of users instead of unique account ids. Therefore, correlation of the activity discovered by an activity scan and the Identity Cube of the user that performed the action must key off of the user's full name.

Minable

Attributes that you want to use for role and profile creation should be marked as minable. This allows the Role Mining feature to mine applications for attributes and permissions when creating roles and profiles, rather than requiring manual entry of the values. Only attributes designated as minable are returned by those searches.

Remediation Modifiable

Attributes that are remediation modifiable can have their values and permissions modified as part of a certification, for the identity being certified. Options are:

  • Select – in the certification, display a select list of all possible values or permissions for this attribute.

  • Free text – in the certification, display a text field in which a certifier can enter any value.

  • Readonly – the value cannot be modified.