Brief overview of Identity Attributes in SailPoint IIQ followed by instructions on how to configure Identity Attributes.
***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK. We do not guarantee this will work in your environment and make no warranties***
What are Identity Attributes and how are they used?
Identity Attributes are essential to a functional SailPoint IIQ installation. SailPoint IIQ represents users by Identity Cubes. Identity Cubes are a correlated collection of accounts and entitlements that represent a single user in the real world. Identity Attributes are used to describe Identity Cubes and by proxy describe the real-world user. Identity Attributes are created by directly mapping a list of attributes from various sources or derived through rules or mappings.
Take first name and last name as an example. First name is references in almost every application, but the Identity Cube can only have 1 first name. To make sure that identity cubes have an assigned first name, a hierarchical-data map is created to assign the Identity Attribute. When refreshing the Identity Cubes, IIQ will look for the first matching value in the map and use that as the Identity attribute. The hierarchy may look like the following: If firstname exist in PeopleSoft use that. If not, then use the givenName in Active Directory. If that doesn’t exist, use the first name in LDAP. Etc.
How are Identity Attributes Assigned?
Identity Attributes are setup through the Identity IQ interface. To add Identity Attributes, do the following:
- Log into SailPoint Identity IQ as an admin
- Click on System Setup > Identity Mappings
- Click New Identity Attribute
- Enter the attribute name and displayname for the Attribute
Note: The attribute name is used to reference the identity attribute in forms and rules, while the displayname is the value shown to the user in the UI.
- Click on Add Value Map
- Select the appropriate application and attribute and click OK
- Repeat step 6 for all mapped attributes
- Select any desired options (Searchable, Group Factory, etc.)
- Click OK
After adding identity attributes, populate the identity cubes by running the Refresh Identity Cubes task.
Added Identity Attributes will not show up in the main page of the Identity Cube unless the attribute is populated and they UI settings have been changed. To enable custom Identity Attributes, do the following:
- Log into SailPoint Identity IQ as an admin
- Navigate to the debug interface (https://www.yourcompany.com/iiq/debug)
- Click on the UI Config button
- Modify the following entry:
<entry key=”identityViewAttributes” value=”name,firstname,lastname,email,manager,employeeid “/> - Click Save
- Restart the application server
After restarting the application server, the custom Identity Attributes should be visible in the identity cube.