.png)
Access Attributes
Definition
Access Attributes Definitions define attributes that can be used during users authentication and in application federations. They apply to Identity Type objects.
Access Model Attributes intersect with the Identity Model Attributes as some of them are common.
There are two types of Access Attributes :
Default : these Access Attributes are predefined and positioned by the system so some of their properties cannot be modified. A Default Access Attribute is available if :
An Identity Attribute with the same identifier already exists. These Default Common Attributes can be overriden by declaring them as Access Attributes if needed.
Or if explicitly declared as an Access Attribute.
Custom : these Access Attributes are created by the tenant configurator and can be fully configured as desired.
Configuration
You can access the Access Attribute Definitions configuration :
by clicking on "Access" → “Access Attributes”
by clicking on "System" → "Configurations" → "Access Service" and perform an import/export.
Properties
Property name | Type | Mandatory | Description | Values (default value in bold) | Modifiable after creation |
|---|---|---|---|---|---|
id |
| YES | The unique id of the Access Attribute that will be reused in the configuration (Federation, Authentication). Enter the identifier of a Default Access Attribute to override some of its properties (see Default Access Attributes). It is case sensitive and no special characters (except - or _) are allowed. | - | NO |
name |
| YES | The name of the Access Attribute. Specifying the name first allows you to define automatically the identifier. | - | YES |
description |
| NO | Used to describe the Access Attribute that will be configured. | - | YES |
multiValued |
| NO | Indicates if the Access Attribute can have several values. Not applicable for boolean value type. | true, false | NO |
searchable |
| NO | Indicates if the Access Attribute can be used in searches. | true, false | NO |
usage |
| YES | Indicates the kind of usage authorized for this Access Attribute :
| ANY, AUTHENTICATION, FEDERATION | YES |
customAttributeIndex |
| NO | The technical index of the Access Attribute. It not set, is automatically computed by identifying the first custom attribute available. Index starts at 1. The upper limit depends on the attribute properties. | - | NO |
identifier |
| NO | Indicates if the Access Attribute can be used as login or as correlation key when authenticating on external systems (such as AD, LDAP, Kerberos, …). Can only be set to “true” if the Access Attribute is mono-valued and searchable. | true, false | YES |
Example
<maiaamcp:AmAttributeDefinition id="firstName">
<name>firstName</name>
<description></description>
<identifier>false</identifier>
<multiValued>false</multiValued>
<searchable>false</searchable>
<usage>ANY</usage>
</maiaamcp:AmAttributeDefinition>Default Access Attributes
The following Default Access Attributes are predefined by the system but can explicitly be declared to override some of their properties (usage and identifier). Create an Access Attribute with the id of a Default Access Attribute to override it (be carefull as id is case sensitive).
Attribute Identifier | Multi-valued | Searchable | Identifier | Default usage | Comment |
|---|---|---|---|---|---|
alternateEmail | YES | YES | NO | Federation | - |
commonName | NO | YES | NO | Federation | - |
company | YES | NO | NO | Federation | - |
NO | YES | NO | Federation | - | |
employeeNumber | NO | NO | NO | Federation | - |
enabledFrom | NO | NO | NO | Federation | The date from which the identity is considered enabled |
enabledUntil | NO | NO | NO | Federation | The date until which the identity is considered enabled |
firstName | NO | YES | NO | Federation | - |
id | NO | YES | NO | Any | Technical identifier of the identity The customAttributeIndex of this technical attribute cannot be overriden |
jobTitle | NO | NO | NO | Federation | - |
lastName | NO | YES | NO | Federation | - |
legacyRights | YES | YES | NO | Federation | Rights of the user, used only for LEGACY applications (migrated from the old system to the new one) |
legacyRightVariables | YES | NO | NO | Federation | Privileges of the user for a given right, used only for LEGACY applications (migrated from the old system to the new one) |
login | NO | YES | YES | Any | - |
msSamAccountName | NO | YES | NO | Any | Logon name of the user on Microsoft systems (Active Directory, Kerberos) |
mobile | NO | NO | NO | Federation | - |
phoneNumber | YES | NO | NO | Federation | - |
preferredLanguage | NO | NO | NO | Federation | - |
securityOrganization | NO | YES | NO | Any | Organization of the user |
type | NO | YES | NO | Any | Type of the identity (employee, partner, …) The customAttributeIndex of this technical attribute cannot be overriden |