Configuring Identity Attributes in SailPoint IIQ

Brief overview of Identity Attributes in SailPoint IIQ followed by instructions on how to configure Identity Attributes.

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

What are Identity Attributes and how are they used?

Identity Attributes are essential to a functional SailPoint IIQ installation.  SailPoint IIQ represents users by Identity Cubes.  Identity Cubes are a correlated collection of accounts and entitlements that represent a single user in the real world.  Identity Attributes are used to describe Identity Cubes and by proxy describe the real-world user.  Identity Attributes are created by directly mapping a list of attributes from various sources or derived through rules or mappings.

Take first name and last name as an example.  First name is references in almost every application, but the Identity Cube can only have 1 first name.  To make sure that identity cubes have an assigned first name, a hierarchical-data map is created to assign the Identity Attribute.  When refreshing the Identity Cubes, IIQ will look for the first matching value in the map and use that as the Identity attribute.  The hierarchy may look like the following: If firstname exist in PeopleSoft use that.  If not, then use the givenName in Active Directory.  If that doesn’t exist, use the first name in LDAP. Etc.

How are Identity Attributes Assigned?

Identity Attributes are setup through the Identity IQ interface. To add Identity Attributes, do the following:

  1. Log into SailPoint Identity IQ as an admin
  2. Click on System Setup > Identity Mappings
  3. Click New Identity Attribute
  4. Enter the attribute name and displayname for the Attribute

Note: The attribute name is used to reference the identity attribute in forms and rules, while the displayname is the value shown to the user in the UI.

  1. Click on Add Value Map
  2. Select the appropriate application and attribute and click OK
  3. Repeat step 6 for all mapped attributes
  4. Select any desired options (Searchable, Group Factory, etc.)
  5. Click OK

After adding identity attributes, populate the identity cubes by running the Refresh Identity Cubes task.

Added Identity Attributes will not show up in the main page of the Identity Cube unless the attribute is populated and they UI settings have been changed.  To enable custom Identity Attributes, do the following:

  1. Log into SailPoint Identity IQ as an admin
  2. Navigate to the debug interface (http://www.yourcompany.com/iiq/debug)
  3. Click on the UI Config button
  4. Modify the following entry:
    <entry key=”identityViewAttributes” value=”name,firstname,lastname,email,manager,employeeid “/>
  5. Click Save
  6. Restart the application server

After restarting the application server, the custom Identity Attributes should be visible in the identity cube.

Questions? Ask away at IDMWorks!

Questions, comments or concerns? Feel free to reach out to us below, or email us at IDMWORKS to learn more about how you can protect your organization and customers.

Comments on: “Configuring Identity Attributes in SailPoint IIQ”

  1. Cool and great, there is actually some good points on this post some of my friends might find this relevant, will send them a link, many thanks. Good blog! Really fantastic stuff here. Thanks

  2. can you help me- in my sailpoint there is no option showing lifecycle manager. How i can enable or configure that feature.. its 7.0version.

    Thanks in advance

    1. Lifecycle manager is turned on during the installation. I pulled the following steps from the Lifecycle Manager Activation document

      1. Log on to your instance of IdentityIQ as an administrator.
      2. Click on Global Settings under the gear icon and select the Import from File Page.
      3. Click Browse and browse to the following directory:
      where identityiq_home is the directory in which you extracted the identityiq.war file during the Iden- tityIQ installation procedure.
      4. Select the init-lcm.xml file and click Import.
      5. When the import is complete, click Done.

Leave a Reply

Your email address will not be published. Required fields are marked *