Karim Elatov

SecurID Access: Change Attribute Mapping Type in Identity Sources

Blog Post created by Karim Elatov Employee on Oct 10, 2016

User Attributes

In SecurID Access Change Attribute Mapping Name in Identity Sources we talked about how we can change attributes names. We also mentioned that we can change the attribute type, here was the use case:

  1. Change the Target Attribute Type of a Discovered attribute
    1. Let's say you wanted to treat a date as a string to use other policies operations

Let's go into this scenatrio

Changing The Attribute Type

Depending on the type of the attribute we have certain policy operations available. Here are the available types:

  • datetime (accountExpires)
  • string (mail)
  • long (badPwdCount)
  • boolean (isDeleted)
  • double ()

If an attribute is of type datetime we can use the following policy operations on it:

  • Equals
  • Does not equal
  • Greater than
  • Greater than or equal
  • Less than
  • Less than or equal
  • Is null
  • Is not null

 

 

If an attribute is of type string, we can use the following policy operations on it:

  • Contains
  • Does not contain
  • Matches
  • Does not match
  • Starts with
  • Ends with
  • Equals
  • Does not equal
  • Is empty
  • Is not empty
  • Is null
  • Is not null
  • Set contains any
  • Set does not contain any
  • Set contains all
  • Set does not contain all

 

If an attribute is of type long or double, then we have the following policy operations on it (same as datetime):

  • Equal
  • Does not equal
  • Greater than
  • Greater than or equal
  • Less than
  • Less than or equal
  • Is null
  • Is not null


If an attribute is of type boolean, then we have the following policy operations on it: 

  • Equal
  • Does not equal
  • Is null
  • Is not null

 

So let's say I wanted to do a string match operation on a datetime attribute, like accountExpires, by default you saw what operation are available above. So let's change the type mapping to string:

Now after making that change, if I choose that attribute I can have more policy operations:

Different Attribute Type for the same Attribute

Let's say we have two attributes with the same name but the types are different. Let's use the same example as before and utilize the mail attribute. I went ahead and changed the type on one of the identity sources to be boolean while I left the other one to be string:

and here is the other one:

Since both attributes are seen as one, when I check out the policy operations available for that attribute it actually only lists operations that apply to both:

Outcomes