Skip to end of metadata
Comment: Migrated to Confluence 4.0
Go to start of metadata

Since the schema in each target system may be different, attribute mapping allows us to define a mapping between Attributes in OpenIAM and the attributes in the target system's schema. However, the Attribute Map concept goes one step first in that it allows you to map derived attributes, called attribute policies, to attributes in the target systems.  Attribute Policies are rules or scriptlets that provide a flexible model to determine the value of a each attribute that is being sent to the target system.  The following section describes:

  • How to create attribute polices
  • How to create an attribute Map

Creating an Attribute Policy

To create an attribute policy, use the steps below:

  • Log into the Webconsole
  • Select Policy
  • Select ATTRIBUTE POLICY from the Policy Type drop down as shown below.
  • Click on Search
  • To edit an existing Policy, click on View.
  • To create a new Policy, click on New Policy

 

  • Clicking on New Policy will results in the screen below. Complete information for the following fields:

    Fields Name

    Description

    Name

    Name of this attribute that will allow you to easily identify the policy

    Status

    ACTIVE - Indicates that the policy is usable

    RULE URL

    URL to he script containing the policy. The path is relative to the root for scripts. For example: provision/cn.groovy
    Note: The current release of the Identity Manager does not support entering rules directly into the web interface


Developing Attribute Policies

Attribute policies are developed using Groovy script.  They are used to determine the value of an attribute. These value can be either single valued or multi-valued. An example of a single valued attribute would be first name.  An example of a multi-valued attribute would be the list of Roles that a person belongs to.  The following objects are bound to the Attribute Policy through the Identity Manager:

  • user - OpenIAM User object
  • context - Spring application context which can be used to lookup Spring beans.

Below are examples of attribute policies:

Single Valued Attribute

The following policy describes the logic to determine a unique identity for a User.

Multivalued Attribute

Example of an LDAP Object class definition:

Example of a users Role Membership:

Developing an Attribute Map

Once you have developed a set of attribute policies, you can develop an attribute map for a resource ( target system).  In the example below, we will develop an attribute map for LDAP.

  • Log into the Webconsole
  • Select Access Control | Resource
  • Select MANAGED SYSTEMS from Select Resource Type drop down.
  • A list of existing resources will appear. Select LDAP from the list of resources
  • Select POLICY MAP after you retrieve the resource

 

Selecting LDAP will result in the screen below, which is a list of LDAP attributes.

  • For each LDAP attribute, select the Policy from the Policy drop down.
  • For each attribute determine if this attribute is part of a set of User attributes or this attribute is used to determine a users identity. If it is used to determine the identity, then select PRINCIPAL as the object type. Otherwise, select USER as the Object type.
  • To remove an attribute, simply click on the checkbox and click on the DELETE button
  • To add new attributes, enter the details on the last row which says "*ENTER ATTRIBUTE NAME*"

Labels:
None
Edit Labels