User Attributes

User attributes include internal user attributes, default user attributes, and optional custom user attributes. You can search, query, and report on all attribute values.

You can use attributes to delegate administrative tasks through role definition. For example, a role might allow an administrator to manage all users with a specific job title, where job title is a user attribute. A role might also allow an administrator to manage all users in a specific department, where department is a user attribute.

Internal user attributes are recorded in the internal database for searching and reporting purposes. You cannot customize or modify system attribute values using the Security Console, but you may run searches or generate reports that are based on or include system attribute values. For example, you can run a search or create a custom report based on all users that were modified on a particular date.

Default user attributes are the core attributes for every user. They are:

  • Certificate DN

  • Email

  • First Name

  • Middle Name

  • Last Name (required)

  • User ID (required)

  • Password (required)

Modification of Attribute Values

You can modify default attribute values based on the type of identity source:

  • LDAP directory identity source: Default attribute values are stored in the LDAP directory. You must modify attribute values using the native LDAP directory administrative interface. Also, default user attributes must be mapped correctly to attributes in the LDAP directory so that these attribute values can be displayed in the Security Console and included in searches and reports.

  • Internal database: All attributes and attribute values stored in the internal database can be modified using the Security Console.

Custom User Attributes

You can define custom user attributes using identity attribute definitions. For example, you can create an attribute called “Region” to identify where users are located. For more information, see Add an Identity Attribute Definition.

When you create a identity attribute definition, you must decide where to store the attribute value. You can do one of the following:

  • Store the user attribute value with the user record. If you added the user through the Security Console, the attribute value is stored in the internal database with the user record. For a user that exists in an LDAP directory, the attribute value is stored only in the LDAP directory and is read-only in RSA Authentication Manager.

  • Store the user attribute value in the internal database for all users, including users that exist only in an LDAP directory. An administrator with the appropriate permissions can edit attribute values using the Security Console.