Manage Identity Attributes

Identity attributes refer to properties of an identity, such as name, location, or organization name.

Oracle Access Governance supports the following attribute types:
  • Core attributes: Fixed standardized identity attributes which are included in campaigns and access reviews by default.
  • Custom attributes: Non-standard identity attributes that are on-boarded from specific Orchestrated Systems, once connected, but are not included in campaigns and access reviews unless required. For example, you may have a core attribute Location which is included in campaigns and access reviews by default, while additional custom attributes, such as Area, City, or Zip Code must be configured, to support your business needs.

Overview

Oracle Access Governance automatically fetches core and custom attributes defined in an Orchestrated System. Details of attributes are automatically loaded into Oracle Access Governance when data is ingested from an Orchestrated System. If you create further custom attributes, following initial data load, you can refresh the Oracle Access Governance schema so that the latest custom attributes are included in the next data load.

You can use these attributes in Oracle Access Governance to perform various functions, such as running access review campaigns, choosing identities for identity collections, or applying attribute conditions to enable/disable the available identity data set.

To understand this better, let's look at a couple of examples:
  • While creating a campaign, a Campaign Administrator selects custom attributes - Cost Center and Department ID to further refine the campaign selection criteria to run access review campaigns.
  • While creating an identity collection, an Administrator can apply membership rules using the core and custom attributes. For instance, to create a senior management list of employees for the Accounting organization, create an identity collection to include employees where the Job Level is Director and above, and the Organization is Accounting.
Custom attributes are governed by certain assumptions and rules. Let's see a few of them:
  • A custom attribute that is encrypted in your schema will not be available in Oracle Access Governance and won't show up on the Identity Attributes page.

View Attributes

As an Administrator, you can view, and search for available core and custom attributes, and determine which Oracle Access Governance features they are enabled for.

Here's how you can view the available custom attributes:
  1. In the Oracle Access Governance Console, from the Navigation menu navigation menu, select Service Administration , and then select Identity Attributes.

    The Identity Attributes page is displayed. You can view the available core and custom attributes, which are displayed on the Core and Custom tabs respectively.

View Attribute Details

You can view the following attribute details:
  • Attribute name: Original attribute name as available in the Orchestrated System that is connected with Oracle Access Governance.
  • Orchestrated system: Orchestrated system name from which the attribute is populated.
  • Display name: Unique attribute name that will be used within Oracle Access Governance Console for easy identification and usage.
  • Type: Data type of the attribute.
  • Flags indicating where these attributes can been used:
  • Last updated by: Name of the administrator who last modified the settings for that identity attribute.

Search and Filter Custom Attributes

Use the Search field to locate the required attribute by the attribute name. You can manage a large set of attributes by applying filters based on the following Oracle Access Governance features:
  • Campaign selections: On or Off
  • Event-based: On or Off
  • Manage identities: On or Off
  • Identity details: On or Off

Manage Core Attribute Settings

You can modify core attribute settings in a number of ways, including updating the Orchestrated System from which the attribute is populated, and applying rules to the attribute allowing you to perform data transformations on the inbound value.

To modify core attribute settings perform the following steps on the Identity Attributes page:
  1. In the Oracle Access Governance Console, from the Navigation menu navigation menu, select Service Administration.
  2. From the Core tab, click the Edit Icon icon corresponding to the core attribute that you want to modify.
    You will be navigated to the Edit core attribute <attributename> train which guides you through the settings you can update.
  3. On the Add details step you can update which Orchestrated System should be used to populate the attribute.

    If the attribute selected is a nested attribute (<parent>.<child>) and the change proposed has an impact on other attributes, then the list of additional attributes affected will be displayed. An example would be if you update the orchestrated system for the attribute name.firstName. To ensure data integrity, the surname of the identity should come from the same Orchestrated System, so a message will be displayed This will also change the orchestrated system for attributes: name.lastName. When you save the change, both attributes will be updated.

    If the Orchestrated System selected is an Oracle Cloud Infrastructure (OCI) system, an additional option is displated, Which domain?. If you have multiple domains in your OCI tenancy, this allows you to specify which OCI Identity and Access Management domain to use as the source of truth for your identities. If you have already run a dataload from your OCI Orchestrated System, you can select from a list of available domains ingested from the OCI system. If the dataload has not been run you can enter the domain name using free text.

    Select the required Orchestrated System name from the drop-down list, and click Next.

  4. On the Add rule step you can elect to apply inbound data transformation rules, allowing you to modify the value of the attribute, for example concatenating employee number with first name to set a display name. Select one option from the following:
    1. Use the <attributename> value directly: Use the incoming attribute value as-is with no data transformation.
    2. Build a rule around the <attributename>: Add an inbound data transformation rule to modify the incoming attribute value as required. Enter the rule and click Validate to check your syntax. For further details on syntax refer to Data Transformation Rules Reference
    3. When your configuration is complete, click Next to proceed to the next step.

    Note:

    The Add rule step does not apply to nested attributes (<parent>.<child>).
  5. On the Setup usage step you can view how the attribute is used in Oracle Access Governance. It is not currently supported to edit the default selections for core attributes.
    The available options are:
    • Include in identity details

      Note:

      You can select up to 250 attributes for this feature.
    • Include in campaign selections
    • Include in event based access reviews
    • Include in manage identities
  6. On the Review and submit step your selections are displayed. Click Update to save your settings, or Cancel to discard the changes.

Manage Custom Attribute Settings

You can modify custom attribute settings in a number of ways, including updating the Orchestrated System from which the attribute is populated, applying rules to the attribute allowing you to perform data transformations on the inbound value, and including/excluding the use of the attribute for certain Oracle Access Governance features.

To modify custom attribute settings perform the following steps on the Identity Attributes page:
  1. In the Oracle Access Governance Console, from the Navigation menu navigation menu, select Service Administration.
  2. From the Custom tab, click the Edit Icon icon corresponding to the custom attribute that you want to modify.
    You will be navigated to the Edit custom attribute <attributename> train which guides you through the settings you can update.
  3. On the Add details step you can update which Orchestrated System should be used to populate the attribute. You can also set the display name for the attribute selected.

    If the Orchestrated System selected is an Oracle Cloud Infrastructure (OCI) system, an additional option is displated, Which domain?. If you have multiple domains in your OCI tenancy, this allows you to specify which OCI Identity and Access Management domain to use as the source of truth for your identities. If you have already run a dataload from your OCI Orchestrated System, you can select from a list of available domains ingested from the OCI system. If the dataload has not been run you can enter the domain name using free text.

    Select the required Orchestrated System name from the drop-down list, set the domain name and display name, and click Next.

  4. On the Add details step you can update the display name for the attribute selected. For custom attributes you cannot update the Orchestrated System from which the attribute is populated. Update the display name if required, and click Next.
  5. On the Add rule step you can elect to apply inbound data transformation rules, allowing you to modify the value of the attribute, for example concatenating employee number with first name to set a display name. Select one option from the following:
    1. Use the <attributename> value directly: Use the incoming attribute value as-is with no data transformation.
    2. Build a rule around the <attributename>: Add an inbound data transformation rule to modify the incoming attribute value as required. Enter the rule and click Validate to check your syntax. For further details on syntax refer to Data Transformation Rules Reference.
    3. When your configuration is complete, click Next to proceed to the next step.

    Note:

    The Add rule step does not apply to nested attributes (<parent>.<child>).
  6. On the Setup usage step you can view how the attribute is used in Oracle Access Governance. You can also edit the default selections for custom attributes.
    The available options are:
    • Include in identity details

      Note:

      You can select up to 250 attributes for this feature.
    • Include in campaign selections
    • Include in event based access reviews
    • Include in manage identities

    Once your settings are complete, click Next.

  7. On the Review and submit step your selections are displayed. Click Update to save your settings, or Cancel to discard the changes.

Fetch Latest Custom Attributes

If you don't see the latest custom attributes in the list, click the Fetch attributes button.

This action will run the schema discovery on the orchestrated system, and fetch the latest schema objects to get the updated list of custom attributes. If new custom attributes are available, then the schema discovery process may take a couple of minutes to complete, and show the updated list of custom attributes.

Note:

If you have an encrypted attribute in your schema, then this process won't fetch and show up that encrypted attribute on this page.

Whenever a new custom attribute is added, you first need to enable that attribute for the features where you want to use it.

Note:

This action won't ingest the attribute data from the orchestrated system but will just load the schema objects. To fetch and use the attributes' data, you either have to wait for the next upcoming scheduled data sync operation or manually run the data load operation. See the Configure Settings for an Orchestrated System topic.