RSA SecurID Access makes it easy to include certain Active Directory attributes in access policies by providing virtual attributes. Virtual attributes allow you to specify a shortened or more readable form of the attribute value instead of the full attribute value. Each virtual attribute is mapped to an Active Directory attribute.
Suppose you are adding a rule set to an access policy and the Sales department is the target population. You can use the Active directory attribute, memberOf, and enter the full distinguished name as shown.
Using a virtual attribute is more convenient in this case. RSA SecurID Access maps the memberOf attribute to the virtual attribute virtualGroups. With virtualGroups you enter only the group name instead of the full distinguished name, as shown in the following example.
If different organizational units use the same group name (for example, Sales), you can use virtualGroups to find all the members of different Sales groups. As an alternative, you can use the memberOf attribute and the full distinguished name to differentiate among the different groups.
RSA SecurID Access supports the virtual attributes listed in the following table.
Mapped to Active Directory Attribute
The memberOf attribute contains the full DN of a group name, which is CN=group,OU=myou,DC=domain,DC=com. virtualGroups holds only the CN value.
Indicates when an account is disabled. The virtualSuspended value is True or False. See your Active Directory documentation for a full range of userAccount Control values.
ObjectGUID is a base64-encoded representation of a the globally unique user identifier, which is a binary value in Active Directory. decodedObjectGUIDString represents this data as a human-readable string, for example: c2d5724d-27a3-4ecd-8da7-955ac218e206. Some SAML applications expect to receive the base64-encoded value, while other applications expect the string format. RSA SecurID Access can pass either value, depending on which attribute you use.
By default, the virtualGroups attribute is selected for synchronization on the User Attributes page in the Identity Source wizard. You can disable synchronization by deselecting it in the Policies column. You can also enable synchronization for the virtualsuspended and decodedObjectGUIDString attributes.