Attributes

Definition

Attributes Definition are entities that define the properties of Objects types. When starting to configure a Memority environment, you need to create Attributes definition to be able to link them to Object Types (this was referred as “attribute bindings” previously).

By Default, When the Memority environment is created, we propose some standard attributes definition, that can be customized according to the needs. Therefore if the existing attributes definition are sufficient to configure the client's data model, it is not mandatory to create new ones.

Attributes properties are used to describe the core characteristics of the Attributes.
By default, all configured Attributes are available for use on all Object Types, except if the Attributes definition explicitly define the Object Kind on which it can be apply to.

In the same way that “Identity Types” are not identities, “Attribute Definitions” are not attributes “values”. They represent a configuration that describe the type of value expected (string, boolean, number etc.) and the rules that will be applied (lowercase, unicity etc.). When we talk about the attribute “firstName”, we mean its definition. When we talk about an identity’s firstName, we mean its value (ex: “John”).

There are three types of Attributes:

Built-in: these Attributes are predefined, reserved by the system and their values can be modified (except: kind, id, entityId, type).
Meta: these Attributes are positioned by the system, they cannot be modified by users. Those are read-only Attributes.
Configurable: these Attributes are created by the user.

Configuration

You can access the Attribute configuration :

by clicking on "Data Model" → "Attributes"
by clicking on "System" → "Configurations" and perform an import/export.

Properties

Parameters name	Type	Mandatory	Description	Values (default value in bold)	Modifiable after creation
identifier	`String`	YES	The unique id of each Attribute that will be reused in the configuration (Features etc…). It is case sensitive and no special characters (except - or _) are allowed.	-	NO
name	`String`	YES	The name of the Attribute. Specifying the name first allows you to define automatically the identifier. Maximum 128 characters. The name may be different from the identifier.	-	YES
objectKind	`Enum`	NO	Used to dedicate an Attribute to an Object Kind. If an Attribute is limited to an Object Kind, we prevent configuring the attribute on a Feature of another Object Kind. Technical advantage: this Feature is useful to restrict the list of Attributes available when configuring an Object Type or a Feature, so that Attributes which do not make sense for a specific kind are not suggested. For example, the "firstname" Attribute does not make sense for an Object of Type "Organization". If no value entered, the attribute can be used on all Object Kind.	Identity, Resource, Organization, Role or Role publication	NO
confidentiality	`Integer`	NO	The purpose of confidentiality is to hide or not the Attribute. Allows user to see the value of the Attribute if it corresponds to the level defined. The more high it is, more confidential the Attribute is. You must define a right on a Feature with a confidentiality level. If the confidentiality is set to 1, the user will be able to see Attributes which are confidentiality level 0 and 1.	0, 1 or 2	YES
description	`String`	NO	The purpose of the Attribute.	-	YES
virtual	`Boolean`	NO	Used to indicate if the Attribute is a virtual or not. A virtual Attribute is resolved (according to the resolve rule) each time it is accessed on the Object to which it is attached. The value is not stored in the database. The value of the Attribute is visible in the audit only if the value has been modified. This property can be used to put online help on a built-in Attribute.	ON or OFF	NO
highPriority	`Boolean`	NO	Prioritization level for changing the value of an Attribute. If an Attribute is configured with a "high priority", when this Attribute is modified on an IDM object (either via a "create" or a "patch" operation), the event message triggered by this modification is generated with a "high priority" so that it is processed accordingly by other services listening on such an event messages. For example, Synchronization service, upon the reception of such a "high priority" message, will trigger as soon as possible provisioning operations for the IDM object who is the subject of the message. This is namely useful to quickly propagate an IDM password change to a provisioned LDAP directory, so that the user whose password was changed can immediately authenticate to this LDAP directory using the new password. The built-in IDM "password" attribute has indeed a high priority. Some built-in Attributes (as password, enabled, ...) have this priority to high.	ON or OFF	YES
valueType	`Type`	NO	The type of the Attribute.	String, Date, Date & Time, Integer Number, Decimal Number, Binary, Boolean, Identity, Resource, Organization Role or Role publication	NO
minLength	`Integer`	NO	Minimum length of the string value type.	-	YES
maxLenght	`Integer`	NO	Maximum length of the string value type. Beware if more than 255 characters are expected in the string, specify the max value	-	YES
choicesRule	`Rule`	NO	Used to build lists of choices (possible values to be chosen for an attribute). Lists can be created either using a Reference Table or using a groovy script. This rule serves as a validation rule. Only on string Attributes.	Reference Table or Groovy Script	YES
scope	`Scope`	NO	A Scope can limit the displayed results. For example, you can define that "manager" Attribute must be: status = "NORMAL" object type = "collaborator" In this case, the search results will only display the manager completing these criteria. Note that only searchable Attributes can be used in a Scope. Only for Identity, Organization, Resource, Role and Role Publication value type.	-	YES
multiValued	`Boolean`	NO	Indicates if the Attribute can have several values (companies, supervisors ...) Not applicable for boolean value type.	ON or OFF	NO
searchCriterion	`Boolean`	NO	Indicates if the Attribute can be used in search requests (as search criteria). Not applicable for binary value type and virtual Attribute.	ON or OFF	YES
internalAttributeId	-	NO	This property is mapped with the physical Attribute of the database. Internal Attribute id slot is used for performance (typically when searching) and also for indexing. Recommendation : Choose automatic in order to let the application choose the internal Attribute id. The selection will be done in chronological order. Note that an internal Attribute id is unique throughout the application except if the Attribute is dedicated to one specific kind. The internal id cannot be changed after creation.	Automatic	NO
readOnly	`Boolean`	NO	Indicates if the Attribute can only be displayed and not modified. Not applicable for binary value type.	ON or OFF	NO
initializationRule	`Rule`	NO	Used to set the value of the Attribute at the creation of the Object only. Example: "badge authorized" Attribute is to set NO by default. If a compute rule is configured on the same Attribute, the initialization rule have priority.	-	YES
computeRule	`Rule`	NO	Used to calculate (every time) the value (before storing it in the database) of the Attribute at each modification of the Object (even if the modification is not on this Attribute). In general, the compute rule is based on several Attribute values. For example: if the Object is an external, then the badge is not allowed. Beware that compute rule doesn’t override the initialization rule (if any).	-	YES
normalizeRule	`Rule`	NO	Used to modify the entered value of the Attribute before storing it in the database. Example: last name must always be stored in uppercase. In this case, even if the value is not entered in uppercase, the value will be saved as defined in the rule. Only for string value type.	-	YES
resolveRule	`Rule`	YES if virtual is set to ON	Same definition as compute rule but for virtual Attributes. Only the resolve rule is mandatory for virtual Attributes. It is not possible to use an id of a virtual Attribute in rule of a non-virtual Attribute.	-	YES
validationRule	`Rule`	NO	Used to validate the value of the Attribute (whether it's allowed or not). If this rule is not respected, the creation or the modification of the Object is rejected with an error message.	-	YES
secret	`Boolean`	NO	Indicates if the Attribute is a secret and will not be displayed in clear text. Not applicable for binary value type. Value is not displayed on the Screen and on the audit except when displaying or updating the Attribute definition itself.	ON or OFF	NO
encrypted	`Boolean`	NO	Indicates that the Attribute value is encrypted when stored. Not applicable for boolean, decimal number, integer number, date and date & time value types	ON or OFF	NO
immutable	`Boolean`	NO	Indicates if the Attribute value cannot be changed once created.	ON or OFF	NO
system	`Boolean`	NO	Indicates if the Attribute is managed by system tasks only. A system Attribute cannot be modified nor deleted by the interface.	ON or OFF	NO
unicityRule	`Rule`	NO	Used to define if the value is unique (at the creation of the Object). Only if search criterion = ON and value type = String. Characteristics: limited to Object Type: allows to apply the rule only on the defined Object Type (if set to ON). check on update: allows to check the rule on an update operation. search operator: allows to choose the search operator related to the rule. normalize rule: allows to define a normalization rule before the search.	-	YES

Built-in Properties

Built-in properties names are reserved keywords; they cannot be used to define a configurable Attribute.

Common to all Object Types

Name	Type	Mandatory	Description	Values	Searchable
kind	`Enum`	YES	The kind of the Object.	Identity, Organization, Resource, Role, Role publication	YES
id	`String`	YES	The unique identifier of an Object Type that will be reused in the configuration (Features etc...)	-	YES
entityId	`String`	YES	The identifier key (not necessarily unique) and which allows to link siblings. In other words, siblings have the same entityId. Objects having the same entity_id share the same "structural" Attributes.	-	YES
type	`String`	YES	Type of an Object Kind, such as "employee" or "collaborator".	-	YES
status	`String`	YES	The status of the Object.	Draft, Normal, Delete	YES
enabled	`Boolean`	YES	Indicate if the Object is enabled or disabled. Linked with the following attributes: objectActivationJob, enabledfrom, enabledUntil, disabledAt, activationMode.	true, false	YES
enabledFrom	`Date & time`	NO	The date from which the object is considered enabled.	-	YES
enabledUntil	`Date & time`	NO	The date from which the object is considered disabled.	-	YES
flags	`String`	NO	List of flags on the user. Flags can be used to trigger action on specific population depending on context.	F00 to F15	YES
reservedFlags	`String`	NO	List of reservedFlags on the user. It can provide information on the last operation performed on the identity. Contrary to flags attribute they can not be set by end user, they are only set by system.	BYPASS_DEDUP, BYPASS_INTEGRITY, BYPASS_UNICITY, BYPASS_VALIDATION, PASSWORD_EXPIRED, PASSWORD_GRACE	YES

Specific to Identities

Attributes specific to Identities

Name	Type	Mandatory	Description	Values (default value in bold)	Searchable
authModes	`String`	NO	List of Authentication mode available for a user.	my_password, inwebo_browser_m_access, inwebo_browser_inwebo_mobile	NO
authMethodPasswordStatus	`String`	NO	Status of the password authentication method.	Activating, Active, Disabled, Enabled	YES
authMethodPasswordFrom	`Date & time`	NO	Begin Date of the password authentication method.	-	NO
authMethodPasswordTo	`Date & time`	NO	End Date of the password authentication method.	-	NO
authMethodMyMfaStatus	`String`	NO	Status of the MFA authentication method.	Activating, Active, Disabled, Enabled	YES
authMethodMyMfaFrom	`Date & time`	NO	Begin Date of the MFA authentication method.	-	NO
authMethodMyMfaTo	`Date & time`	NO	End Date of the MFA authentication method.	-	NO
locked	`Boolean`	NO	Indicates if the user account is locked or not. If true, the user cannot access the portal.	true, false	YES
loginTasks	`String`	NO	Self Service Tasks that the user should or must perform before he/she can access the User Portal.	-	NO
rights	`Rights`	NO	Rights of the user.	-	NO
roles	`Roles`	NO	Roles of the user.	-	YES
securityOrganization	`Organization`	NO	Allows to link a Security Organization to an Identity Type.	-	YES

Specific to Organizations

Attributes specific to Organizations

Name	Type	Mandatory	Description	Values	Searchable
parentOrganization	`ObjectReference`	NO	The Parent organization	-	YES

Specific to Resources

Attributes specific to Resources

Name	Type	Mandatory	Description	Values	Searchable
category	`Enum`	YES	The Resource category.	ASSET,APPLICATION,MODEL,DATA	YES

Specific to Roles

Attributes specific to Roles

Name	Type	Mandatory	Description	Values (default value in bold)	Searchable
requiresManualProvisioning	`Boolean`	NO	Used to indicate if the role needs manual (de)provisioning action when created/updated/deleted	true, false	TODO

Specific to Roles Publication

Attributes specific to Roles Publication

Name	Type	Mandatory	Description	Values (default value in bold)	Searchable
publicationOrganization	`ObjectReference`	YES , on create Feature	Allows you to add an allowed Security Organization to the Role Publication.	-	YES
publicationRole	`ObjectReference`	YES , on create Feature	Allows you to add an allowed Role to the Role Publication.	-	YES
publicationAccess	`Enum`	YES , on create Feature	Allows you to define if the access on the Publication is "allow" or "deny".	ALLOW,DENY	YES
publicationForCreate	`Boolean`	NO	Allows you to define if the Publication allows to assign Role to Identities.	true, false	YES
publicationForUpdate	`Boolean`	NO	Allows you to define if the Publication allows to update a Role Assignment.	true, false	YES
publicationForDelete	`Boolean`	NO	Allows you to define if the Publication allows to delete a Role Assignment.	true, false	YES

Meta properties

Meta properties are reserved keywords; they cannot be used to define a configurable Attribute

Common to all Object Types

Name	Type	Description	Searchable
createdAt	`Date & time`	The object creation date.	YES
disabledAt	`Date & time`	Date at which "enabled" was set to false.	YES
deletedAt	`Date & time`	Date at which "status" was set to delete.	YES
updatedAt	`Date & time`	The object last update date.	YES
activationModes	`String`	Mode that can be used when activating/deactivating an Object. These are to be used, typically, in scripts. By default : AUTO or Admin (can be updated using setting)	YES

Specific to Identities

Meta specific to Identities

Name	Type	Description	Searchable
lockedAt	`Date & time`	Date at which the account was locked.	YES
passwordResetAt	`Date & time`	Date at which the password was reseted.	YES
passwordExpirationDate	`Date & time`	Date at which the password expired.	YES
nbAuthFailures	`Int`	The number of authentication failures.	NO

Specific to Organizations

Meta specific to Organizations

Name	Type	Description	Searchable
organizationPath	`String`	Path of the organization in the organization tree.	NO

Specific to Roles

Meta specific to Roles

Name	Type	Description	Searchable
roleVersion	`Int`	Version number for the role.	NO

Rules

A rule can be entered as a groovy script or, for some of them, as a regular expression.
Rules apply when creating/updating a managed Object instance (through either the user portal functions or the upstream provisioning).

Note that some rules are not compatible with each other:

A normalize rule can only be combined with an initialization rule and/or a validation rule.
A choices rule may only be combined with an initialization rule.
A resolve rule can only be combined with an initialization rule and/or a compute rule and/or a validation rule.

The following Rules are dedicated to the Attributes definition, all Rules are detailed in a dedicated page.

Resolve rules

Resolve rules are used to calculate the value each time the object (only if the attribute is virtual) is modified or read. At each modification, the data is not recorded in database.

It is mandatory for virtual Attributes.

When configuring resolve rules there are two possibilities:

	How	Example
1	By Random Identifier Generator:	Not relevant on a resolve rule.
2	By groovy script:Used to combine several Attributes' values for another Attribute.	CODE `if ((!OBJECT.level \|\| OBJECT.level == "P")) { if (OBJECT.status == ObjectStatus.DELETED) { return "S" } else if (!OBJECT.enabled) { return "IV" } else { return "V" } } return OBJECT.entityValidity` In this case, the value of the "level" attribute is resolved according to the status.

Unicity rules

Unicity rules are used to define if the value of an Attribute is unique. Unicity rules can be global or limited to a specific Object Type.

When configuring an unicity rule, there are several properties to configure :

Limited to object type (ON or OFF) : When set to ON, the value will be unique whatever the Object Type (license plate).
Check on update (ON or OFF) : When set to ON, with each modification of the value of the Attribute, there will be a complete check before recording in database.
Search operator : Allows you to choose the operator to check the uniqueness (see the section on search Features which describes the types of operator). The most common is to use “equals” so that the rule checks that the data is not equal to itself.
Normalize: (The normalization rule applies before the unicity rule).
- Capitalization : the value of the first letter will be in uppercase and the rest in lowercase. The "Full capitalization" checkbox allows the rule to be applied to the entire value chain.
- Lowercase : the string value is stored in lowercase.
- Uppercase : the string value is stored in uppercase.
- Script : allows you to create a groovy script in order to configure more complex rule.

Attributes Inheritance

Principles of Attribute Inheritance

Applying Attribute inheritance means:

when creating a new child Organization, copy inherited Attribute values from the direct parent
when patching an inherited Attribute on a parent Organization, propagate changes to all child Organizations
when attempting to patch an inherited Attribute on a child Organization, throw a validation error

Attribute inheritance when creating a child Organization:

If an Attribute is inherited but the direct parent does not have this Attribute, then the child does not have it either.
An Attribute inherited from a child Organization will take the value of the parent’s attribute. If the Attribute does not exist on the parent, no value will be returned. There is a configuration inconsistency.
Validation error on attempt to:
- create a non-root Organization by explicitly providing inherited Attribute values
- create a non-root Organization whose parent type is not among the authorized parent Organization Types

Attribute inheritance when creating a parent Organization:

Propagating inherited Attribute changes from a root Organization to its children is similar to propagating structural Attribute changes to siblings; validation shall namely be disabled in both cases.

Configuring Attribute Inheritance

Attribute inheritance can be configured at any level of the Organization tree (not just at the root level).

When configuring an Attribute as inherited on an OrganizationType, a validation error is thrown if the Attribute is either computed/resolved/virtual/secret/encrypted.

Configuration

Properties

Built-in Properties

Common to all Object Types

Specific to Identities

Specific to Organizations

Specific to Resources

Specific to Roles

Specific to Roles Publication

Meta properties

Common to all Object Types

Specific to Identities

Specific to Organizations

Specific to Roles

Rules

Resolve rules

Unicity rules

Attributes Inheritance

Principles of Attribute Inheritance

Configuring Attribute Inheritance

Read Next