View and Configure Identity Attributes

Identity attributes refer to properties of an identity, such as name, location, or organization name.

Oracle Access Governance supports the following attribute types:
  • Core attributes: Fixed standardized identity attributes which are included in campaigns and access reviews by default.
  • Custom attributes: Non-standard identity attributes that are on-boarded from specific connected systems, once connected, but are not included in campaigns and access reviews unless required. For example, you may have a core attribute Location which is included in campaigns and access reviews by default, while additional custom attributes, such as Area, City, or Zip Code must be configured, to support your business needs.

Overview

Oracle Access Governance automatically fetches core and custom attributes defined in a connected system. Details of attributes are automatically loaded into Oracle Access Governance when data is loaded from a connected system. If you create further custom attributes in the target system, following initial data load, you can refresh the custom attributes in the Oracle Access Governance schema so that the latest custom attributes are included in the next data load.

You can use these attributes in Oracle Access Governance to perform various functions, such as running access reviews campaigns, choosing identities for identity collections, or applying attribute conditions to enable/disable the available identity data set.

To understand this better, let's look at a couple of examples:
  • While creating a campaign, a Campaign Administrator selects custom attributes - Cost Center and Department ID to further refine the campaign selection criteria to run access review campaigns.
  • While creating an identity collection, an Administrator can apply membership rules using the core and custom attributes. For instance, to create a senior management list of employees for the Accounting organization, create an identity collection to include employees where the Job Level is Director and above, and the Organization is Accounting.
Custom attributes are governed by certain assumptions and rules. Let's see a few of them:
  • A custom attribute that is encrypted in your schema will not be available in Oracle Access Governance and won't show up on the Identity Attributes page.

View Attributes

As an Administrator, you can view, and search for available core and custom attributes, and determine which Oracle Access Governance features they are enabled for.

Here's how you can view the available custom attributes:
  1. In the Oracle Access Governance Console, from the Navigation menu navigation menu, select Service Administration , and then select Identity Attributes.

    The Identity Attributes page is displayed. You can view the available core and custom attributes, which are displayed on the Core and Custom tabs respectively.

View Attribute Details

You can view the following attribute details:
  • Attribute name: Original attribute name as available in the target system that is connected with Oracle Access Governance.
  • Connected system: Connected system name from which the attribute is populated.
  • Display name: Unique attribute name that will be used within Oracle Access Governance Console for easy identification and usage.
  • Type: Data type of the attribute.

    Note:

    Custom attributes only.
  • Flags indicating where these attributes can been used:
  • Last updated by: Name of the administrator who last modified the settings for that identity attribute.
Use the Edit icon Edit icon to edit the settings for that custom attribute.

Search and Filter Custom Attributes

Use the Search field to locate the required attribute by the attribute name. You can manage a large set of attributes by applying filters based on the following Oracle Access Governance features:
  • Campaign selections: On or Off
  • Event-based: On or Off
  • Manage identities: On or Off
  • Identity details: On or Off

Modify Custom Attribute Settings

You can modify attribute settings to update the connected system from which the attribute is populated, change the display name (custom attributes only), or include/exclude the use of an attribute for certain Oracle Access Governance features.

Perform the following steps on the Identity Attributes page:
  1. Click the Edit Icon icon corresponding to the attribute that you want to modify.
    The dialog you see depends on whether you are editing a core or custom attribute.
    1. Core

      If you have the Core attributes tab selected, you will see the Change core identity attribute settings pop-up window. You can edit the connected system from which the attribute is populated, by selecting the connected system from the drop-down list. If the attribute change proposed has an impact on other attributes, then the list of additional attributes affected will be displayed. An example would be if you update the connected system for the attribute name.firstName. To ensure data integrity, the surname of the identity should come from the same connected system, so a message will be displayed This will also change the connected system for attributes: name.lastName. When you save the change, both attributes will be updated.

    2. Custom

      If you have the Custom attributes tab selected, you will see the Change custom identity attribute settingspop-up window. You can edit the following for custom attributes:

      • Connected system: The connected system from which the attribute is populated
      • Display name: This unique name will be used across Oracle Access Governance for this custom attribute.
      • Feature: Select the check box corresponding to the Oracle Access Governance features where you want to use this custom attribute. The available options are:
        • Include in identity details

          Note:

          You can select up to 250 attributes for this feature.
        • Include in event based access reviews
        • Include in campaign selections
        • Include in manage identities
  2. Once you have selected your preferences, click Apply. Click Cancel to discard your changes.

Fetch Latest Custom Attributes

If you don't see the latest custom attributes in the list, click the Fetch attributes button.

This action will run the schema discovery on the connected system, and fetch the latest schema objects to get the updated list of custom attributes. If new custom attributes are available, then the schema discovery process may take a couple of minutes to complete, and show the updated list of custom attributes.

Note:

If you have an encrypted attribute in your schema, then this process won't fetch and show up that encrypted attribute on this page.

Whenever a new custom attribute is added, you first need to enable that attribute for the features where you want to use it.

Note:

This action won't ingest the attribute data from the connected system but will just load the schema objects. To fetch and use the attributes' data, you either have to wait for the next upcoming scheduled data sync operation or manually run the data load operation. See the Manage the Connected System topic.