Announcements

SecurID® Community Blog

Subscribe to the official SecurID Community blog for information about new product features, industry insights, best practices and more.

SecurID Access: Change Attribute Mapping Type in Identity Sources

KarimElatov
Employee
Employee
0 0 1,168

User Attributes

In SecurID Access Change Attribute Mapping Name in Identity Sources we talked about how we can change attributes names. We also mentioned that we can change the attribute type, here was the use case:

  1. Change the Target Attribute Type of a Discovered attribute
    1. Let's say you wanted to treat a date as a string to use other policies operations

Let's go into this scenatrio

Changing The Attribute Type

Depending on the type of the attribute we have certain policy operations available. Here are the available types:

  • datetime (accountExpires)
  • string (mail)
  • long (badPwdCount)
  • boolean (isDeleted)
  • double ()

pastedImage_17.png

If an attribute is of type datetime we can use the following policy operations on it:

  • Equals
  • Does not equal
  • Greater than
  • Greater than or equal
  • Less than
  • Less than or equal
  • Is null
  • Is not null

 

pastedImage_18.png

 

If an attribute is of type string, we can use the following policy operations on it:

  • Contains
  • Does not contain
  • Matches
  • Does not match
  • Starts with
  • Ends with
  • Equals
  • Does not equal
  • Is empty
  • Is not empty
  • Is null
  • Is not null
  • Set contains any
  • Set does not contain any
  • Set contains all
  • Set does not contain all

 

pastedImage_19.png

If an attribute is of type long or double, then we have the following policy operations on it (same as datetime😞

  • Equal
  • Does not equal
  • Greater than
  • Greater than or equal
  • Less than
  • Less than or equal
  • Is null
  • Is not null

pastedImage_20.png
If an attribute is of type boolean, then we have the following policy operations on it: 

  • Equal
  • Does not equal
  • Is null
  • Is not null

 pastedImage_21.png

So let's say I wanted to do a string match operation on a datetime attribute, like accountExpires, by default you saw what operation are available above. So let's change the type mapping to string:

pastedImage_22.png

Now after making that change, if I choose that attribute I can have more policy operations:

pastedImage_23.png

Different Attribute Type for the same Attribute

Let's say we have two attributes with the same name but the types are different. Let's use the same example as before and utilize the mail attribute. I went ahead and changed the type on one of the identity sources to be boolean while I left the other one to be string:

pastedImage_24.png

and here is the other one:

pastedImage_25.png

Since both attributes are seen as one, when I check out the policy operations available for that attribute it actually only lists operations that apply to both:

pastedImage_26.png