Identity Mappings

The Identity Mappings feature is where you configure the identities that are managed by IdentityIQ. This is where you specify the applications and application attributes from which the identity data is derived.

Use the Identity Attributes page to view and edit the identity attributes information for your configuration. These attributes are used throughout the product for certifications, searches, and to collect and correlate identity data from applications.

IdentityIQ also supports the use of Robotic Process Automation (RPA) or bot identities. A bot is an application that can perform automated tasks, especially simple, repetitive tasks such as requesting access and managing identities. See Robotic Process Automation (Bot) Identities (link) for more information.

The Identity Attributes page lists any attributes that have been configured in your system, and shows the primary source mapping and any advanced options that have been configured for each attribute. For details on how to edit and further configure identity attributes, see Edit Identity Attributes.

Attribute
The Attribute column shows the display name of the identity attribute, which is derived from the attribute and its associated application in the Primary Source Mapping column. The following attributes are required by IdentityIQ to perform correctly:

• ID

• manager

• email

• firstname

• lastname

Manager and role are system attributes that are configured for grouping. However, you can use any identity attribute or grouping by defining it as a group factory in the Advanced Options.

Primary Source Mapping
The Primary Source Mapping column lists the first of the the application/attribute pairs from which employee attributes are derived. If the required data is unavailable on this primary source, the collection process continues down the list of configured sources until the information is found.
Set up the list of sources on the Edit Identity Attributes page.
Setting the same application and attribute as the source and target for an identity attribute creates circular references.
Identity attributes with circular references between sources and targets can cause values to be continually changed on every attribute synchronization. This can be problematic when a transformation rule modifies a value without first checking the identity attribute value has already been transformed.

Advanced Options
The Advanced Options column shows some of the main options that are enabled for this attribute. Additional Advanced Options can be configured in the Edit Identity Attributes Page.

• Editable – the attribute can be edited.

• Group Factory – the attribute can be used to create groups that are used for analytical purpose throughout IdentityIQ.

• Searchable – the attributes that are available for filtering in identity searches.

To add a new identity attributed, click Add New Attribute. For details on how to set up new identity attributes, see How to Add or Edit Identity Attributes and the Edit Identity Attributes Page.

To delete identity attributes, right-click the attribute and select Delete.

Note

Deleting an identity attribute also deletes any group factories that reference it. Review the group factory information in the Confirm Deletion of Attribute dialog before clicking Yes.

Edit Identity Attributes Page

Use the Edit Identity Attribute page to create and edit identity attributes including the display name, advanced options and source mapping.

The maximum number of searchable attributes you can create is defined during the application installation and configuration process and controlled from the System Setup pages. The default number is ten (10). See Create Icons to Represent Specialized Account Attributes (link).

To support the governance of bots, IdentityIQ has three standard attributes in the identity object that enable you to do things like run a focused certification on just bots.

The attributes are:

• Type: an attribute to define the type of identity. The standard values for this attribute are:

  • Employee

  • Contractor

  • External / Partner

  • RPA / Bots

  • Service Account

However, you can define your own types in addition to these 5, via editing XML in debug.

• Version – an attribute to indicate what version of software the bot is using. This attribute is intended to be used only for bots.

• Administrator – the owner, certifier, of the bot. This is used instead of manager for bots throughout IdentityIQ.

The Edit Identity Attribute page contains the following information

Field	Description
Identity Attribute:
Attribute Name	The name of the attribute as it is used throughout IdentityIQ. For example, this the name used to identify this attribute in rules.
Display Name	The IdentityIQ user assigned name.
Advanced Options:
Attribute Type	Select from the following attribute types: String – creates a text-editable field. Identity – creates a drop-down list from which you choose an existing identity.
Edit Mode	Enable editing of this attribute from the Identity pages. Read Only – this attribute cannot be edited from the Identities pages. Permanent – changes made on the identities pages are not overwritten by refresh tasks. Temporary – changes made on the edit identities page are overwritten in the next aggregation task, if a new (changed) value for the attribute is brought over from the feed/source.
Searchable	Enable this attribute for use in searches and filtering through IdentityIQ.
Multi-Valued	Specify attributes for which multiple values might be returned during aggregation. Attributes flagged as multi-valued are stored as a list. Even objects that have a single value for a multi-value attribute are stored as a single-item list. Multi-valued attributes are used for queries throughout the product.
Group Factory	Enable this attribute for use in creating groups used for analytical purpose throughout IdentityIQ.
Value Change Rule	Specify a rule to run every time a change is detected on this attribute during the aggregation process. For example, a rule can be written to send change notifications, request change approval or launch a certification. Click the [...] icon to launch the Rule Editor to make changes to your rules if needed. See Using the Rule Editor
Value Change Workflow	Specify a business process to run every time a change is detected on this attribute during the aggregation process. For example, a business process can be written to send change notifications, request change approval or launch a certification.
Sync with Workflow	To use a business process handling for attribute synchronization.
If you set the source and target mapping to the same application / attribute pair, it creates circular references and where the values continuously change with every attribute synchronization.
Visibility Selector: Restrict the visibility of identity attributes and extended identity attributes during access reviews by applying specific visibility rules. These rules are configurable, enabling administrators to specify which attributes should be visible to users participating in the review process.
Source Mappings: The list of application / attribute pairs from which employee attributes are derived. If the required data is unavailable on the primary source, the collection process continues down the list of configured sources until the information is found.
Target Mappings (Only available for Identity attribute types): When creating or editing an Identity attribute, use the Target Attribute options to define targets that the basis for attribute synchronization. Click Add Target to display the Add a target to the AttributeName attribute dialog, and complete all of the information.

How to Add or Edit Identity Attributes

Note

When mapping to a named column, specify the name to match the .hbm.xml property name, not the database column name. With camel case, the database column name is translated to lower case with underscore separators. For example, costCenter in the Hibernate mapping file becomes cost_center in the database.

Begin by clicking Add New Attribute or clicking an existing attribute to display the Edit Identity Attribute page.

Enter or change the Attribute Name and an intuitive Display Name.

Note

You cannot define an extended attribute with the same name as any existing identity attribute.

Caution

Changing an attribute name might cause attributes that were previously aggregated to no longer be recognized.

Advanced Options

Advanced options are optional. The Advanced Options you can set are described on the Edit Identity Attributes Page.

Source Mappings

Click Add Source to display the Add a source dialog, then specify a source for the new attribute. You can use more than one source for the attribute.

Map directly to an attribute on an application

For Application Attributes you have the option to also make this source a target for attribute synchronization. If there are multiple source applications on which a user might have accounts, you would likely want to push the most authoritative value to the rest of the accounts.

1. Select Application Attribute.

2. Select an application from the Application dropdown list.

3. Select an attribute from the Attribute dropdown list.

4. Click Add.

Map to an application rule

This rule only applies to the application specified.

1. Select Application Rule.

2. Select an application from the Application dropdown list.

3. Select a rule from the Rule dropdown list.

4. Click Add.

Map to a global rule

This rule applies to all applications that contain this attribute.

1. Select Global rule (all apps).

2. Select a rule from the Rule dropdown list.

3. Click Add.

When you have added your sources for the attribute, use the arrows to the right of the sources list to arrange the search order for the attribute sources. When aggregation tasks are run, they search the source at the top of the list, or the primary source, first and then work down the list.

Visibility Selector

A Visibility Selector is used to protect privacy-sensitive identity attributes, ensuring that only identities with a valid need are granted access to view them.

Note

This is applicable only for identity attributes and extended attributes. It is not applicable for standard and system type identity attributes.

By default, "Everyone" is selected under the Visibility Selector, which means all the identities can view all the attributes.

The following options are available under Visibility Selector:

• Match List – only identities whose criteria match that specified in the list. The criteria is configured using the tools provided. Add identity attributes, application attributes, and application permissions. Customize further by creating attribute groups to which this assignment rule applies.

Note

If Is Null is selected, the associated value text box is disabled. When the Is Null match is processed, the term matches users on the chosen application who have a null value for that attribute or permission.

• Filter – a custom database query for role creation.
• Script – a custom script for role creation.
• Rule – select an existing rule from the dropdown list.

Note

To make changes to rules, select the [...] icon to open the Rule Editor if needed.

• Population – select an existing population and apply the visibility selector to its identity attributes.

When the visibility of an identity attribute is restricted, it is hidden from view in these UIs:

1. Manage Identity - Edit Identity

2. Manage Identity - View Identity

3. Manage Identity - Create Identity

4. Identities - Identity Warehouse - Results table

5. Identities - Identity Warehouse - (view identity) - Attributes Tab

6. Identities - Identity Warehouse - (view identity) - Attributes Tab - Edit

7. Identities - Identity Warehouse - (view identity) - History Tab

8. Intelligence - Identity Risk Scores - Group to filter by drop down

9. Identities - Identity Correlation - Select Target Identity - Click on Identity

10. Identities - Identity Correlation - Advanced Search - Extended Attributes

Target Mappings

For Identity attribute types only, add targets for attribute synchronization

1. Select Add Target to display the Add a target to the attribute dialog.

2. Select the application to receive the value.

3. Select the attribute to receive the value.

4. Optional: Select a transformation rule to transform the value before it is set on the destination.

5. Optional: Select Provision All Accounts to provision all of the identities accounts on the targeted application. If you disable this option you are asked to select the accounts to provision manually.

Click Save to create the new attribute and return to the Identity Attribute page.