Virtual Attributes in Access Policies (Active Directory Only)
RSA makes it easy to include certain Active Directory attributes in access policies by providing virtual attributes. Virtual attributes allow you to specify a shortened or more readable form of the attribute value instead of the full attribute value. Each virtual attribute is mapped to an Active Directory attribute.
To add virtual attributes to access policies, see Add, Clone, or Delete an Access Policy
Virtual Attribute Example
Suppose you are adding a rule set to an access policy and the Sales department is the target population. You can use the Active directory attribute, memberOf, and enter the full distinguished name as shown.
| User Attribute | Operation | Value |
|---|---|---|
| memberOf | SET_CONTAINS_ALL | CN=Sales,OU=Mach_4_Corp,OU=MST,OU=United_States,OU=North_America,OU=Clients,DC=kc,DC=org |
Using a virtual attribute is more convenient in this case. RSA maps the memberOf attribute to the virtual attribute virtualGroups. With virtualGroups you enter only the group name instead of the full distinguished name, as shown in the following example.
| User Attribute | Operation | Value |
|---|---|---|
| virtualGroups | SET_CONTAINS_ALL | Sales |
If different organizational units use the same group name (for example, Sales), you can use virtualGroups to find all the members of different Sales groups. As an alternative, you can use the memberOf attribute and the full distinguished name to differentiate among the different groups.
Supported Virtual Attributes
RSA supports the virtual attributes listed in the following table.
| Virtual Attribute | Mapped to Active Directory Attribute | Description |
|---|---|---|
| virtualGroups | memberOf | The memberOf attribute contains the full DN of a group name, which is CN=group,OU=myou,DC=domain,DC=com. virtualGroups holds only the CN value. |
| virtualSuspended | userAccountControl | Indicates when an account is disabled. The virtualSuspended value is True or False. See your Active Directory documentation for a full range of userAccount Control values. |
| decodedObjectGUIDString | ObjectGUID | ObjectGUID is a base64-encoded representation of a the globally unique user identifier, which is a binary value in Active Directory. decodedObjectGUIDString represents this data as a human-readable string, for example: c2d5724d-27a3-4ecd-8da7-955ac218e206. Some SAML applications expect to receive the base64-encoded value, while other applications expect the string format. RSA can pass either value, depending on which attribute you use. |
Synchronizing Virtual Attributes
By default, the virtualGroups attribute is selected for synchronization on the User Attributes page in the Identity Source wizard. You can disable synchronization by deselecting it in the Policies column. You can also enable synchronization for the virtualsuspended and decodedObjectGUIDString attributes.
Related Articles
Manage Access Policies Number of Views Condition Attributes for Access Policies Number of Views Preconfigured Access Policies Number of Views Access Policy Examples Number of Views Specify the Default RADIUS Profile Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
