How to Add or Edit Identity Attributes

Note: When mapping to a named column, specify the name to match the .hbm.xml property name, not the database column name. With camel case, the database column name is translated to lower case with underscore separators. For example, costCenter in the Hibernate mapping file becomes cost_center in the database.

Begin by clicking Add New Attribute or clicking an existing attribute to display the Edit Identity Attribute page.

Enter or change the Attribute Name and an intuitive Display Name.

Note: You cannot define an extended attribute with the same name as any existing identity attribute.

Caution: Changing an attribute name might cause attributes that were previously aggregated to no longer be recognized.

Advanced Options

Advanced options are optional. The Advanced Options you can set are described on the Edit Identity Attributes Page.

Source Mappings

Click Add Source to display the Add a source dialog, then specify a source for the new attribute. You can use more than one source for the attribute.

For Application Attributes you have the option to also make this source a target for attribute synchronization. If there are multiple source applications on which a user might have accounts, you would likely want to push the most authoritative value to the rest of the accounts.

  1. Select Application Attribute.

  2. Select an application from the Application dropdown list.

  3. Select an attribute from the Attribute dropdown list.

  4. Click Add.

This rule only applies to the application specified.

  1. Select Application Rule.

  2. Select an application from the Application dropdown list.

  3. Select a rule from the Rule dropdown list.

  4. Click Add.

This rule applies to all applications that contain this attribute.

  1. Select Global rule (all apps).

  2. Select a rule from the Rule dropdown list.

  3. Click Add.

When you have added your sources for the attribute, use the arrows to the right of the sources list to arrange the search order for the attribute sources. When aggregation tasks are run, they search the source at the top of the list, or the primary source, first and then work down the list.

Visibility Selector

A Visibility Selector is used to protect privacy-sensitive identity attributes, ensuring that only identities with a valid need are granted access to view them.

Note: This is applicable only for identity attributes and extended attributes. It is not applicable for standard and system type identity attributes.

By default, "Everyone" is selected under the Visibility Selector, which means all the identities can view all the attributes.

The following options are available under Visibility Selector:

Match List – only identities whose criteria match that specified in the list. The criteria is configured using the tools provided. Add identity attributes, application attributes, and application permissions. Customize further by creating attribute groups to which this assignment rule applies.

Note: If Is Null is selected, the associated value text box is disabled. When the Is Null match is processed, the term matches users on the chosen application who have a null value for that attribute or permission.

Filter – a custom database query for role creation.
Script – a custom script for role creation.
Rule – select an existing rule from the dropdown list.

Note: To make changes to rules, select the [...] icon to open the Rule Editor if needed.

Population – select an existing population and apply the visibility selector to its identity attributes.

When the visibility of an identity attribute is restricted, it is hidden from view in these UIs:

  1. Manage Identity - Edit Identity

  2. Manage Identity - View Identity

  3. Manage Identity - Create Identity

  4. Identities - Identity Warehouse - Results table

  5. Identities - Identity Warehouse - (view identity) - Attributes Tab

  6. Identities - Identity Warehouse - (view identity) - Attributes Tab - Edit

  7. Identities - Identity Warehouse - (view identity) - History Tab

  8. Intelligence - Identity Risk Scores - Group to filter by drop down

  9. Identities - Identity Correlation - Select Target Identity - Click on Identity

  10. Identities - Identity Correlation - Advanced Search - Extended Attributes

Target Mappings

For Identity attribute types only, add targets for attribute synchronization

  1. Select Add Target to display the Add a target to the attribute dialog.

  2. Select the application to receive the value.

  3. Select the attribute to receive the value.

  4. Optional: Select a transformation rule to transform the value before it is set on the destination.

  5. Optional: Select Provision All Accounts to provision all of the identities accounts on the targeted application. If you disable this option you are asked to select the accounts to provision manually.

Click Save to create the new attribute and return to the Identity Attribute page.