Identity attribute definitions are custom user attributes. When you add them to your deployment and map them to external identity sources, the Security Console can retrieve identity attribute values from an external identity source. For more information, see Edit Identity Source Attribute Mappings.
To use an identity attribute definition in an attribute-based role, you must enable the identity attribute definition for use in administrative scope restrictions. You do this when you define the identity attribute definition for the deployment.
In the Security Console, click Identity > Identity Attribute Definitions > Add New.
In the Attribute Name field, enter a unique attribute name for the value mapped from the directory. (This name appears in the Security Console on the Add New User and Edit User pages.) Do not exceed 255 characters.
(Optional) In the Category field, specify the category to which this attribute belongs. The drop-down menu displays categories that are defined on the Identity Attribute Categories page. If you do not specify a category, the default category is Attributes.
In the Entry Type field, indicate whether the new attribute field is Optional, Required, or Read-Only. Optional and required attributes can be edited. If an attribute is required, you must enter a value for it when you add the user in order to save the user's record.
Note:Your administrative role determines whether you can modify identity attributes. On the Add New User and Edit User pages, you can edit attributes that your role permits you to modify, even if the attribute is required. If you do not have permission to edit a required attribute, you cannot add or edit the user.
From the Data Type drop-down list, select the type of data that you want to store in the new attribute.
Note:Use the same data type as the LDAP directory schema. If the data type is not the same, the Security Console cannot retrieve user records that include this attribute from the external identity source, and the failure is recorded in the system log. To resolve this issue, delete the existing identity attribute definition, and add a new one using the correct data type.
(Optional) In the Predefined List Entries fields, create a list of predefined values that administrators can use when adding or editing a user record. The values are displayed appear in a drop-down list on the Add and Edit User pages.
For example, suppose that you add the attribute “Location” that represents the office location. If you have locations in London, New York, and Madrid, you can add each of these locations as predefined values.
To add a predefined value:
In the Value field, enter a predefined value for the identity attribute.
For the Attribute Storage option, select one of the following:
Store this attribute in the same location as the user record (internal database or external identity source) to store the user attribute value with the user record. For a user that you created using the Security Console, the attribute value is stored in the internal database with the user record. For a user that exists in the external identity source, for example, an LDAP directory, the attribute value is stored only in the external identity source and is read-only in RSA Authentication Manager.
Always store this attribute in the internal database to store the user attribute value in the internal database for all users. When you select this method, the attribute is stored in the internal database, even for user records that exist only in the external identity source, for example, an LDAP directory. An administrator with the appropriate permissions can edit attribute values using the Security Console.
You cannot change the attribute storage configuration after the attribute is created.
(Optional) In the Tooltip field, specify the text for the rollover tooltip. Make sure that the text is descriptive enough to help the administrator who is using the Add New User or Edit User pages. Do not exceed 75 characters.
(Optional) To allow the attribute to have more than one value, select Multi-Value. Boolean and Date attributes cannot store more than one value.
For Use for Scope Restriction, select Use to define conditions on administrative user management permissions if you want to use this attribute to restrict the scope of an administrative role.
Under Identity Source Mapping, identify the field mapping configuration for each identity source in your deployment.
For Internal Database, specify the name of the attribute that will be created in the internal database. The name may include alphanumeric characters and underscores, for example, MOBILE_NUMBER2.
For each external identity source, specify the attribute name that exists in the external identity source. You may leave the field blank if the attribute has no mapping in an external identity source. When you save the attribute, RSA Authentication Manager validates the mapping.