Virtual Attributes in Access Policies (Active Directory Only)

Document created by RSA Information Design and Development on Apr 14, 2017Last modified by RSA Information Design and Development on Oct 20, 2017
Version 6Show Document
  • View in full screen mode

RSA SecurID Access makes it easy to include certain Active Directory attributes in access policies by providing virtual attributes. Virtual attributes allow you to specify a shortened or more readable form of the attribute value instead of the full attribute value. Each virtual attribute is mapped to an Active Directory attribute.

Virtual Attribute Example

Suppose you are adding a rule set to an access policy and the Sales department is the target population. You can use the Active directory attribute, memberOf, and enter the full distinguished name as shown.

                  
User AttributeOperationValue
memberOfSET_CONTAINS_ALLCN=Sales,OU=Mach_4_Corp,OU=MST,OU=United_States,OU=North_America,OU=Clients,DC=kc,DC=org

Using a virtual attribute is more convenient in this case. RSA SecurID Access maps the memberOf attribute to the virtual attribute virtualGroups. With virtualGroups you enter only the group name instead of the full distinguished name, as shown in the following example.

                  
User AttributeOperationValue
virtualGroupsSET_CONTAINS_ALLSales

If different organizational units use the same group name (for example, Sales), you can use virtualGroups to find all the members of different Sales groups. As an alternative, you can use the memberOf attribute and the full distinguished name to differentiate among the different groups.

Supported Virtual Attributes

RSA SecurID Access supports the virtual attributes listed in the following table.

                            
Virtual AttributeMapped to Active Directory AttributeDescription
virtualGroupsmemberOf The memberOf attribute contains the full DN of a group name, which is CN=group,OU=myou,DC=domain,DC=com. virtualGroups holds only the CN value.
virtualSuspendeduserAccountControlIndicates when an account is disabled. The virtualSuspended value is True or False. See your Active Directory documentation for a full range of userAccount Control values.
decodedObjectGUIDStringObjectGUID

ObjectGUID is a base64-encoded representation of a the globally unique user identifier, which is a binary value in Active Directory. decodedObjectGUIDString represents this data as a human-readable string, for example: c2d5724d-27a3-4ecd-8da7-955ac218e206. Some SAML applications expect to receive the base64-encoded value, while other applications expect the string format. RSA SecurID Access can pass either value, depending on which attribute you use.

Synchronizing Virtual Attributes

By default, the virtualGroups attribute is selected for synchronization on the User Attributes page in the Identity Source wizard. You can disable synchronization by deselecting it in the Policies column. You can also enable synchronization for the virtualsuspended and decodedObjectGUIDString attributes.

 

 

You are here
Table of Contents > Access Policies > Virtual Attributes in Access Policies (Active Directory Only

Attachments

    Outcomes