Virtual Attributes in Access Policies (Active Directory Only)
RSA makes it easy to include certain Active Directory attributes in access policies by providing virtual attributes. Virtual attributes allow you to specify a shortened or more readable form of the attribute value instead of the full attribute value. Each virtual attribute is mapped to an Active Directory attribute.
To add virtual attributes to access policies, see Add, Clone, or Delete an Access Policy
Virtual Attribute Example
Suppose you are adding a rule set to an access policy and the Sales department is the target population. You can use the Active directory attribute, memberOf, and enter the full distinguished name as shown.
| User Attribute | Operation | Value |
|---|---|---|
| memberOf | SET_CONTAINS_ALL | CN=Sales,OU=Mach_4_Corp,OU=MST,OU=United_States,OU=North_America,OU=Clients,DC=kc,DC=org |
Using a virtual attribute is more convenient in this case. RSA maps the memberOf attribute to the virtual attribute virtualGroups. With virtualGroups you enter only the group name instead of the full distinguished name, as shown in the following example.
| User Attribute | Operation | Value |
|---|---|---|
| virtualGroups | SET_CONTAINS_ALL | Sales |
If different organizational units use the same group name (for example, Sales), you can use virtualGroups to find all the members of different Sales groups. As an alternative, you can use the memberOf attribute and the full distinguished name to differentiate among the different groups.
Supported Virtual Attributes
RSA supports the virtual attributes listed in the following table.
| Virtual Attribute | Mapped to Active Directory Attribute | Description |
|---|---|---|
| virtualGroups | memberOf | The memberOf attribute contains the full DN of a group name, which is CN=group,OU=myou,DC=domain,DC=com. virtualGroups holds only the CN value. |
| virtualSuspended | userAccountControl | Indicates when an account is disabled. The virtualSuspended value is True or False. See your Active Directory documentation for a full range of userAccount Control values. |
| decodedObjectGUIDString | ObjectGUID | ObjectGUID is a base64-encoded representation of a the globally unique user identifier, which is a binary value in Active Directory. decodedObjectGUIDString represents this data as a human-readable string, for example: c2d5724d-27a3-4ecd-8da7-955ac218e206. Some SAML applications expect to receive the base64-encoded value, while other applications expect the string format. RSA can pass either value, depending on which attribute you use. |
Synchronizing Virtual Attributes
By default, the virtualGroups attribute is selected for synchronization on the User Attributes page in the Identity Source wizard. You can disable synchronization by deselecting it in the Policies column. You can also enable synchronization for the virtualsuspended and decodedObjectGUIDString attributes.
Related Articles
Manage Access Policies Number of Views Preconfigured Access Policies Number of Views Condition Attributes for Access Policies Number of Views Access Policy Examples Number of Views View Access Policy Usage Number of Views
Trending Articles
Connection fails to Cloud Authentication Service when connecting through a proxy server from RSA Authentication Manager to… Downloading RSA Authentication Manager license files or RSA Software token seed records Unable to login to RSA Authentication Manager Security Console as super admin RSA Authentication Manager 8.9 Release Notes (January 2026) How to manipulate imported RSA SecurID Software Token(s) on an iPhone or iPad device
