Manage Identity Attributes

Identity attributes refer to properties of an identity, such as name, location, job code, organization name, and so on. Once you integrate Authoritative source systems, internally, a composite identity profile is constructed that contains Core and Custom attributes within Oracle Access Governance.

Oracle Access Governance supports the following attribute types:
  • Core attributes: Fixed standardized identity attributes as recognized by Oracle Access Governance schema, mandatory for performing access management and reviews operation.
  • Custom attributes: Additional non-standard identity attributes defined based on business needs beyond a standard set. For example, you may have a core attribute Location, while additional custom attributes, such as Area, City, or Zip Code must be configured, to support your business needs.

This composite identity profile can contain identity attributes from various Authoritative sources that you have integrated. This composite identity profile acts as a source of truth for Oracle Access Governance to perform various governance and provisioning operations.

Overview

Oracle Access Governance automatically fetches core and custom identity attributes defined in an Orchestrated System. Details of attributes are automatically loaded into Oracle Access Governance when data is ingested from an Orchestrated System. You can use these attributes in Oracle Access Governance to perform various functions, such as running access review campaigns, choosing identities for identity collections, or applying attribute conditions to enable/disable the available identity data set.

If you have defined custom attributes in your Orchestrated System , after the initial data load, you can choose to refresh the Oracle Access Governance schema to load the latest custom attributes.

To understand this better, let's look at a couple of examples:
  • While creating a campaign, a Campaign Administrator selects custom attributes - Cost Center and Department ID to further refine the campaign selection criteria to run access review campaigns.
  • While creating an identity collection, an Administrator can apply membership rules using the core and custom attributes. For instance, to create a senior management list of employees for the Accounting organization, create an identity collection to include employees where the Job Level is Director and above, and the Organization is Accounting.

Requirements and Rules for Managing Identity Attributes

Identity attributes are governed by certain requirements and rules. Let's see a few of them:
  • A custom attribute that is encrypted in your schema will not be available in Oracle Access Governance and won't show up on the Identity Attributes page.
  • You can choose to use the custom attribute value directly or modify the value of the attribute by applying transformation rules. For example, concatenating employee number with first name to set a display name.
  • You cannot edit the default feature selections for core attributes.
  • If you change a nested attribute (<parent>.<child>), then a list of additional dependent attributes will be affected and displayed. For example, if you update the orchestrated system for the attribute name.firstName. To ensure data integrity, the surname of the identity should come from the same Orchestrated System, so a message will be displayed This will also change the orchestrated system for attributes: name.lastName. When you save the change, both attributes will be updated.
  • For Oracle Cloud Infrastructure (OCI) orchestrated system, an additional option is displayed, Which domain?. If you have multiple domains in your OCI tenancy, select an appropriate OCI Identity and Access Management domain to use as the source of truth for your identities. If you have already run a dataload from your OCI Orchestrated System, you can select from a list of available domains ingested from the OCI system. If the dataload has not been run you can enter the domain name using free text.

View Attributes

As an Administrator, you can view, and search for available core and custom identity attributes, and manage the enabled Oracle Access Governance features for these attributes.

Here's how you can view the available custom attributes:
  1. In the Oracle Access Governance Console, from the Navigation menu navigation menu, select Service Administration , and then select Identity Attributes.

    The Identity Attributes page is displayed. You can view the available core and custom attributes, which are displayed on the Core and Custom tabs respectively.

View Attribute Details

You can view the following attribute details:

Search and Filter Custom Attributes

Use the Search field to locate the required attribute by the attribute name. You can manage a large set of attributes by applying filters based on the suggested filters. For example, selecting Identity details On will display all the attributes for which the Identity details flag is enabled.

On the top-right side of the page, select an orchestrated system to see attributes specific to that orchestrated system. If you select No system available, then you'll see a list of attributes not associated with any active orchestrated system.

Manage Core Attribute Settings

You can modify core attribute settings in a number of ways, including updating the Orchestrated System from which the attribute is populated, and applying data transformation rules to modify the incoming attribute value. You cannot change the default feature selections for core attributes.

To modify core attribute settings perform the following steps on the Identity Attributes page:
  1. In the Oracle Access Governance Console, from the Navigation menu navigation menu, select Service Administration.
  2. From the Core tab, click the Edit Icon Edit icon corresponding to the core attribute that you want to modify.
    The identity attribute fields are displayed in the editable mode letting you update attributes in a single edit operation.
  3. To update which Orchestrated System should be used to populate the attribute, select an appropriate Orchestrated System from the Which orchestrated system? list.

    For Oracle Cloud Infrastructure (OCI) orchestrated system, an additional option is displayed, Which domain?. If you have multiple domains in your OCI tenancy, select an appropriate OCI Identity and Access Management domain to use as the source of truth for your identities.

  4. Use direct attribute value or add a rule to apply inbound data transformation rules:
    1. In Populated, select the Change link.
    2. For using the attribute value as-is with no data transformation, select Use the <attributename> value directly. This action displays the value Directly in the Populated field.
    3. For applying rules, select Build a rule around the <attributename>.
    4. Enter the rule and click Validate to check your syntax. For further details on syntax refer to Data Transformation for Inbound and Outbound Rules. You cannot apply rules to nested attributes (<parent>.<child>).
    5. Click Apply. This action displays the value By rule in the Populated field.
  5. After performing your edits, click tick Apply. This preserves your changes. You can continue editing other attributes following the same process. The Last updated by column for the attributes that have been updated will display Modified.
  6. Click Save to apply your changes and update all the attributes at once.
    The Last updated by column displays the administrator name who performed the most recent update.

Manage Custom Attribute Settings

You can modify custom attribute settings in a number of ways, including updating the Orchestrated System from which the attribute is populated, modifying the display name, applying rules to perform data transformations on the inbound value, and including/excluding the use of the attribute for certain Oracle Access Governance features.

To modify custom attribute settings perform the following steps on the Identity Attributes page:
  1. In the Oracle Access Governance Console, from the Navigation menu navigation menu, select Service Administration.
  2. From the Custom tab, click the Edit Icon Edit icon corresponding to the custom attribute that you want to modify.
    The identity attribute fields are displayed in the editable mode letting you update all the attributes in a single edit operation.
  3. To update the display name, in the What is the display name? field, set the display name for the attribute selected.
  4. To update which Orchestrated System should be used to populate the attribute, select an appropriate Orchestrated System from the Which orchestrated system? list.

    For Oracle Cloud Infrastructure (OCI) orchestrated system, an additional option is displayed, Which domain?. If you have multiple domains in your OCI tenancy, select an appropriate OCI Identity and Access Management domain to use as the source of truth for your identities.

  5. Use direct attribute value or add a rule to apply inbound data transformation rules:
    1. Select the Change link.
    2. For using the attribute value as-is with no data transformation, select Use the <attributename> value directly.
    3. For applying rules, select Build a rule around the <attributename>.
    4. Enter the rule and click Validate to check your syntax. For further details on syntax refer to Data Transformation for Inbound and Outbound Rules. You cannot apply rules to nested attributes (<parent>.<child>).
  6. Select or Clear the appropriate feature check box to include or exclude the attribute from the feature. For example, include Cost center while setting up campaigns.
  7. After performing your edits, click tick Apply. This preserves your changes. You can continue editing other attributes following the same process. The Last updated by column for the attributes that have been updated will display Modified.
  8. Click Save to apply your changes and update all the attributes at once.
    The Last updated by column displays the administrator name who performed the most recent update.

Fetch Latest Custom Attributes

If you don't see the latest custom attributes in the list, click the Fetch attributes button.

This action will run the schema discovery on the orchestrated system, and fetch the latest schema objects to get the updated list of custom attributes. If new custom attributes are available, then the schema discovery process may take a couple of minutes to complete, and show the updated list of custom attributes.

Note:

If you have an encrypted attribute in your schema, then this process won't fetch and show up that encrypted attribute on this page.

Whenever a new custom attribute is added, you first need to enable that attribute for the features where you want to use it.

Note:

This action won't ingest the attribute data from the orchestrated system but will just load the schema objects. To fetch and use the attributes' data, you either have to wait for the next upcoming scheduled data sync operation or manually run the data load operation. See the Configure Settings for an Orchestrated System topic.