Virtual Attributes in Access Policies (Active Directory Only)

RSA SecurID Access makes it easy to include certain Active Directory attributes in access policies by providing virtual attributes. Virtual attributes allow you to specify a shortened or more readable form of the attribute value instead of the full attribute value. Each virtual attribute is mapped to an Active Directory attribute.

To add virtual attributes to access policies, see Add, Clone, or Delete an Access Policy

Virtual Attribute Example

Suppose you are adding a rule set to an access policy and the Sales department is the target population. You can use the Active directory attribute, memberOf, and enter the full distinguished name as shown.

User Attribute Operation Value
memberOf SET_CONTAINS_ALL CN=Sales,OU=Mach_4_Corp,OU=MST,OU=United_States,OU=North_America,OU=Clients,DC=kc,DC=org

Using a virtual attribute is more convenient in this case. RSA SecurID Access maps the memberOf attribute to the virtual attribute virtualGroups. With virtualGroups you enter only the group name instead of the full distinguished name, as shown in the following example.

User Attribute Operation Value
virtualGroups SET_CONTAINS_ALL Sales

If different organizational units use the same group name (for example, Sales), you can use virtualGroups to find all the members of different Sales groups. As an alternative, you can use the memberOf attribute and the full distinguished name to differentiate among the different groups.

Supported Virtual Attributes

RSA SecurID Access supports the virtual attributes listed in the following table.

Virtual Attribute Mapped to Active Directory Attribute Description
virtualGroups memberOf The memberOf attribute contains the full DN of a group name, which is CN=group,OU=myou,DC=domain,DC=com. virtualGroups holds only the CN value.
virtualSuspended userAccountControl Indicates when an account is disabled. The virtualSuspended value is True or False. See your Active Directory documentation for a full range of userAccount Control values.
decodedObjectGUIDString ObjectGUID

ObjectGUID is a base64-encoded representation of a the globally unique user identifier, which is a binary value in Active Directory. decodedObjectGUIDString represents this data as a human-readable string, for example: c2d5724d-27a3-4ecd-8da7-955ac218e206. Some SAML applications expect to receive the base64-encoded value, while other applications expect the string format. RSA SecurID Access can pass either value, depending on which attribute you use.

Synchronizing Virtual Attributes

By default, the virtualGroups attribute is selected for synchronization on the User Attributes page in the Identity Source wizard. You can disable synchronization by deselecting it in the Policies column. You can also enable synchronization for the virtualsuspended and decodedObjectGUIDString attributes.