Extended Attributes

Extended attributes are just attributes that are not built-in, such as employeeNumber for User. Most customers want to be able to query by employeeNumber, so you can add this attribute as a queryable extended attribute through the configuration.

It is a best practice to prefix extended attributes with a deployment-specific prefix to prevent potential conflicts with new core attributes in future releases of Identity Manager.

For example, when adding an extended attribute to User to record the employeeNumber, use a prefix associated with the company, such as acme_employeeNumber. If a future Identity Manager release incorporates a built-in user attribute named employeeNumber, the two attributes will remain distinct. Otherwise the built-in attribute takes precedence.

Because extended attributes are not built-in, these attributes must be in the <IDMAttributeConfigurations> section of the IDM Schema Configuration object. This section captures the attribute names, syntax (such as string, int, and date), and whether the attribute is single-valued or multi-valued. The IDMObjectClassConfiguration captures which attributes are in which object classes because named attributes can actually be in more than one object class, such as MemberObjectGroups.

The IDM Schema Configuration object is protected with the IDMSchemaConfig authType.

Administrators needing to view or edit the Identity Manager schema for Users or Roles must have the IDMSchemaConfig AdminGroup (capability) assigned. The Configurator user has this AdminGroup assigned by default.

For more information about User extended attributes, see the discussion about the accounts[lighthouse] attribute of the User view in the Views chapter of Deployment Reference.

You can expose built-in attributes and extended attributes as queryable or summary. Some built-in attributes have REFERENCE syntax, but extended attributes are not allowed to be REFERENCE.

The <Comments> section of the effective schema contains information about available internal attributes, as well as extended attributes for relevant objectclasses. You can view this information from the Identity Manager Debug pages by clicking the Display Schema button and selecting ObjectClass Schema from the list.

Extended attributes are supported for User, Role, and extensions of Role only.

Some built-in attribute references for User and Role are not queryable or summary by default, but you can expose the following attributes:

• For User:

  • MemberAdminGroups

  • adminRoles

  • adminGroupsRule

• For Role and extensions of Role: role_applications

For attribute definitions, click the Display Schema button on the Debug Pages to view the IDMObjectClass schema. Administrators must have View rights for IDMSchemaConfig to view the IDMObjectClass schema.