Attribute Functions

Definition

Attribute Functions allow you to evaluate and manipulate attributes to be sent to applications through a Federation.

Attribute Functions reference built-in functions and are declared in the Memority ADM portal.

Attribute Functions can then be used in a Federation configuration in the USR portal.

Built-in Attribute Functions

The following built-in functions are available :

Name	Input	Output	Description	Example
valueOf()	Takes the attribute name as argument.	`String`	Returns the value of an attribute name.	`valueOf(firstName)`
concat()	Takes a variable number of either : attribute name or string literals	`String`	Concatenate the passed arguments as a String. Only mono-valued attributes can be used with this function. Multi-valued attributes are not supported.	`concat(firstName, " ", lastName)`
hasRight()	Can take as arguments (using attribute names or string literals): only the right name the right name and the target or the right name, the target and the privilege	`Boolean`	Test whether the processed Identity has been granted a certain right. When used to provide a claim value, it returns "true" or "false".	`hasRight("app.o365")` `hasRight("admin", "app.o365`) `hasRight("admin", "app.o365", "write")`
rightTargets()	Only takes the right name as argument (can be an attribute name or a string literal).	`String`	Retrieve the targets of a granted right.	`rightTargets("admin")`
rightPrivileges()	Takes 2 arguments (can be attribute names or string literals): the right name and the target	`String`	Retrieve the privileges of a granted right on a certain target.	`rightPrivileges("admin", "app.o365")`
valueIfAuthLevel()	Takes 2 arguments : the attribute name the authentication level The authentication level is provided as a string.	`String`	Returns the value of the given attribute only if the user is authenticated with a level >= to the given authentication level.	`valueIfAuthLevel(birthDate, "100"`
valueIfRight()	Can take as arguments (using attribute names or string literals): the attribute name and the right name the attribute name, the right name and the target or the attribute name, the right name, the target and the privilege	`String`	Returns the value of the given attribute if the current user has : the given right or the given right on the target or the privilege of the given right on a the target	`valueIfRight(o365profile, "admin")` `valueIfRight(o365profile, "admin", "app.o365")` `valueIfRight(o365profile, "admin", "app.o365","write")`

Usage

Attribute Functions can only be used in a Federation configuration.

It can be applied to Name Id or Attributes in the Federation by selecting “Function” as type in the drop-down icon.

Then you can select the desired Attribute Function (among those configured for the tenant) in the Function list.

The Attribute Function may requires some parameters you need to fill.

Note that only configurable arguments are displayed but some fixed arguments may be hidden. So make sure to use the suitable Attribute Function.

Configuration

You can access the Attribute Functions configuration :

by clicking on "Access" → “Attribute Functions”
by clicking on "System" → "Configurations" → "Access Service " and perform an import/export.

Properties

The main configuration elements are :

Property name	Type	Mandatory	Description	Values (default value in bold)	Modifiable after creation
id	`String`	YES	The Attribute Function identifier. This identifier will be displayed in Function list in the Federation configuration screen.	-	NO
name	`String`	YES	The Attribute Function name.	-	YES
description	`String`	NO	The Attribute Function description.	-	YES
arguments	`List<AttributeFunctionArgument>`	YES	The list of input arguments for the Attribute Function. Two possible argument types : `FixedAttributeFunctionArgumentType` to impose the input argument so it cannot be modified when using this Attribute Function in a Federation `VariableAttributeFunctionArgumentType` to let free choice about the input argument when using this Attribute Function in a Federation	-	NO (except for unused Attribute Functions)
builtinFunction	`String`	YES	The name of the built-in function to use	See Built-in Attribute Functions	NO (except for unused Attribute Functions)
legacy	`Boolean`	YES	Indicates if the Attribute Function is legacy . Built-in functions listed in this documentation are NOT legacy.	true, false	NO

argument properties - Fixed

Property name

Type

Mandatory

Description

Values (default value in bold)

Modifiable after creation

value

IdentityAttributeValueType or ConstantAttributeValueType

YES

Two possible types :

IdentityAttributeValueType : define the User Attribute to use as argument
ConstantAttributeValueType : define the value (string literals) to use as argument

-

NO (except for unused Attribute Functions)

Example

XML

<maiaamcp:AttributeFunction id="TestFunction">
      <name>Test Function</name>
      <description></description>
      <arguments>
         <argument xsi:type="maiaamcp:FixedAttributeFunctionArgumentType">
            <value xsi:type="maiaamcp:IdentityAttributeValueType">
               <attributeId>firstName</attributeId>
            </value>
         </argument>
         <argument xsi:type="maiaamcp:FixedAttributeFunctionArgumentType">
            <value xsi:type="maiaamcp:ConstantAttributeValueType">
               <value> </value>
            </value>
         </argument>
         <argument xsi:type="maiaamcp:VariableAttributeFunctionArgumentType"/>
      </arguments>
      <builtinFunction>concat</builtinFunction>
      <legacy>false</legacy>
</maiaamcp:AttributeFunction>

Reporting

You can see all applications using a specific Attribute Function in Reports, by using the Federation Mongo collection.

It can help if you want to delete an Attribute Function still in use in one or more Federations.