Account Attributes
In this example, if IdentityIQ finds an attribute named Service that has a value of true on the application DB Application it is marked as a service account. For this case the database connector has already provided an attribute value to reflect the service state, so a simple mapping is all that is required.
Note: After configuring these attributes you must re-aggregate or refresh the identity cubes to set the values.
To configure the mapping:
-
Access the Account Attributes page.
Select the System Setup tab and select Account Mappings from the table. -
Click Add New Attribute to display the Edit Account Attribute page.
-
Specify the following values:
-
Attribute Name – service
-
Display Name – Service Account
-
Edit Mode – Read Only
-
Attribute Type – Boolean
-
Searchable – Read Only
-
Multi-Valued – this is not a multi-valued attribute so do not select this field.
-
-
Click Add Source Mapping to display the Add a source to the attribute dialog.
-
Map the attribute:
-
Select Application Attribute.
-
Select DB Application from the Application dropdown list.
-
Select Service from the Attribute dropdown list.
-
-
Click Add.
In this example, if IdentityIQ finds an account that is a member of the group Domain Admins on any AD application, that account should be marked as a privileged account.
-
Write the rule to define the logic.
This rule checks each account on every AD application and looks for the Domain Admins group. If the Domain Admins group is found, the rule returns true, and the account is considered privileged.
<Rule language="beanshell" name="Example privileged promotion rule"
type="LinkAttribute">
<Source>
<![CDATA[
Boolean privileged = null;
If ( link.getApplication().getName().contains(“AD”) ) {
privileged = new Boolean(false);
List groups = (List)link.getAttribute("memberOf");
if ( groups != null ) {
for ( String group : groups ) {
if ( ( group != null ) &&
( group.startsWith("cn=Domain Admins") ) ) {
privileged = new Boolean(true);
}
}
}
)
return privileged;
]]>
</Source>
</Rule>
-
Access the Account Attributes page.
Go to the Global Settings and select Account Mappings. -
Click Add New Attribute to display the Edit Account Attribute page.
-
Specify the following values:
-
Attribute Name – service
-
Display Name – Service Account
-
Edit Mode – Read Only
-
Attribute Type – Boolean
-
Searchable – Read Only
-
Multi-Valued – this is not a multi-valued attribute so do not select this field.
-
-
Click Add Source to display the Add a source to the attribute dialog.
-
Map the attribute:
Select Global Rule (all applications).
Select Example privileged promotion rule from the Application dropdown list.
-
Click Save.
Assign icons to extended attributes to highlight these accounts in certifications and the detailed identity pages. To assign icons you must modify the UIConfig file and add AccountIconConfig entries for any value that should be recognized.
The following example references the attributes defined in this section.
<ImportAction name='merge'>
<UIConfig name='UIConfig'>
<Attributes>
<Map>
<entry key='accountIconConfig'>
<value>
<List>
<!—This indicates that when we are displaying accounts and we see
the value "true" for the extended account attribute named
privileged we should display the icon listed in the “source”
attribute. The title will be used in hover-over help.
->
<AccountIconConfig attribute="privileged"
value="true"
source="/images/icons/privilege_16.png"
title="This is a privileged account"/>
<!—This indicates that when we are displaying accounts and we see
the value "true" for the extended account attribute named
service we should display the icon listed in the "source"
attribute. The title will be used in hover-over help.
->
<AccountIconConfig attribute="service"
value="true"
source="/images/icons/service.png"
title="This is a service account"/>
</List>
</value>
</entry>
</Map>
</Attributes>
</UIConfig>
</ImportAction>