Manage Identity Attributes

Identity attributes refer to properties of an identity, such as name, location, job code, organization name, and so on. Once you integrate Authoritative source systems, internally, a global identity profile is constructed that contains Core and Custom attributes, and Affiliations within Oracle Access Governance.

Related Topics

Understanding Construct of Global Identity Profile

Identities in Oracle Access Governance are built from core attributes, custom attributes, and affiliations. After you integrate your authoritative sources, Oracle Access Governance constructs a global identity profile. Additionally, you can add your own system specific attributes to represent complex attributes or relationship between these attributes.


Identity Attributes in Oracle Access Governance

During the data ingestion process, you can apply inbound transformation and map identity attributes.

Based on the attributes ingested, a global identity profile is constructed. This profile comprises core attributes, custom attributes, and user-defined affiliations. You can also define your own simple or complex system attributes as needed.
  • Core Attributes: Fixed standardized identity attributes as recognized by Oracle Access Governance schema, mandatory for performing access management and reviews operation.
  • Custom Attributes: Additional, non-standard attributes, either simple or complex, created to address specific business requirements beyond the standard set. You can manage the default system attributes or create new attributes for a particular orchestrated system. Custom attributes can be system attributes, belonging to specific orchestrated system, or AG Attributes.
    • System attributes: Identity properties for an integrated orchestrated system. Values for these attributes can be derived from Authoritative Sources or via rule. For example, job code, work relationship, employee status ingested from Authoritative Sources and synced regularly.

      Note:

      To manage system attribute, go to the Manage IntegrationsIdentity Attributes page for the system. See Modify Integration Settings for an Orchestrated System.
    • AG attributes: Created and used exclusively within Oracle Access Governance and never mapped from an authoritative source. Its value is always generated by rules. For example, risk score, Oracle Access Governance status.
  • Affiliations: Affiliations are rule-based, user-defined constructs that let a single identity have multiple persona (for example, Employee and Contractor) with distinct data, accounts, and access. Affiliations also expose child attributes from complex (array) attributes so those values can be used in running campaigns, creating identity collections, and policy rules. Usage flags can only be set on the affiliation-exposed attributes, not on the original array attribute. See Handling Identity Personas with Multiple Affiliations.

You can use these attributes and affiliations in Oracle Access Governance to perform various functions, such as running access review campaigns, choosing identities for identity collections, or applying attribute conditions to enable/disable the available identity data set.

Examples:
  • While creating a campaign, a Campaign Administrator selects custom attributes - Cost Center and Department ID to further refine the campaign selection criteria to run access review campaigns.
  • While creating an identity collection, an Administrator can apply membership rules using the core and custom attributes. For instance, to create a senior management list of employees for the Accounting organization, create an identity collection to include employees where the Job Level is Director and above, and the Organization is accounting.

View Attributes

You can view, and search for available core attributes, custom identity attributes, and affiliations making up the global identity profile.

View the available global identity attributes:
  1. In the Oracle Access Governance Console, from the Navigation menu navigation menu, select Service Administration , and then select Identity Attributes
    The Identity Attributes page is displayed. You can view identity details, including core, custom and affiliations defined for the global identity profile.

    Note:

    To view and manage the system attributes, go to the Manage integrations page for that orchestrated system. For more details, see Manage Settings for your orchestrated system.

View Attribute Details

You can view the following attribute details:

Search and Filter Custom Attributes

Use the Search field to locate the required attribute by the attribute name. You can manage a large set of attributes by applying filters based on the suggested filters. For example, selecting Identity details On will display all the attributes for which the Identity details flag is enabled.

On the top-right side of the page, select an orchestrated system to see attributes specific to that orchestrated system. If you select No system available, then you'll see a list of attributes not associated with any active orchestrated system.

Create and Manage Custom Attribute Settings

You can create or modify custom attributes, including updating the Orchestrated System from which the attribute is populated, modifying the display name, applying rules to perform data transformations on the inbound value, and including/excluding the use of the attribute for certain Oracle Access Governance features.

  • System attributes: Identity properties for an integrated orchestrated system. Values for these attributes can be derived from Authoritative Sources or via rule. For example, job code, work relationship, employee status ingested from Authoritative Sources and synced regularly. See Create System Attribute and Create a Complex Identity Attribute for an Orchestrated System.
  • AG attributes: Created and used exclusively within Oracle Access Governance and never mapped from an authoritative source. Its value is always generated by rules. For example, risk score, Oracle Access Governance status. See Create an Oracle Access Governance Attribute.

Note:

To create system attributes, go to the Manage IntegrationsIdentity Attributes page for the system. See Modify Integration Settings for an Orchestrated System.
  1. To manage global identity attributes, in the Oracle Access Governance Console, from the Navigation menu navigation menu, select Service Administration.

Create System Attribute

Create user-defined simple or complex attributes specific for an orchestrated system. You can source values of these attributes directly using inbound transformation or using affiliations.

Custom identity attributes support both simple and complex data types and you can use these attributes to perform various functions, such as running access review campaigns, choosing identities for identity collections, or applying attribute conditions to enable/disable the available identity data set.
You can create two types of attributes:
  • Simple Attributes: Simple attributes use primitive data types such as string, date, integer, Boolean or long. You can configure simple attributes as single valued or multivalued.
  • Complex Attributes: Complex attributes are composed of one or more nested child attributes, represented as arrays. For example, an address attribute with street, city, and postal code as child-attributes.
To create a simple system attributes for an orchestrated system:
  1. From the Oracle Access Governance navigation menu icon Navigation menu, select Service Administration → Orchestrated Systems.
  2. Select the Manage integration option from the action menu action menu for the orchestrated system you want to configure. The Manage Integration page for the selected orchestrated system is displayed.
  3. From the Data settings section, select Manage on the Identity attributes tile.
    This tile is available only for orchestrated system supporting Authoritative sources.
  4. On the Attributes tab, select + Create a system attribute.
    The Create an identity attribute for this system page is displayed.

Add details

  1. What is the display name?: Enter the attribute display name to be used on Console.
  2. What is the data type?: Select one of the simple data types.
  3. Click Next.

Value Source

  1. Select the Included in inbound data from the system check box if the attribute's value is derived using the inbound transformation. See Data Transformation Rules Reference.
  2. Select the Supports multiple values check box if multiple values are allowed for the defined attribute.
  3. Click Validate.

    If the rule is valid then you will see a confirmation message and the rule will be marked as validated. If there is an issue with the rule, then you will see an error message and the rule will be marked as invalid. You cannot save your rule if it is marked as invalid.

Create a Complex Identity Attribute for an Orchestrated System

Create custom complex identity attributes specific for an orchestrated system. Complex attributes, composed of one or more nested child attributes, are represented as arrays. For example, an address attribute with street, city, and postal code as child-attributes.

Complex Custom attributes, such as jobCode are represented as arrays on the Manage Identity Attributes page. On its own, the jobCode array cannot be directly used or referenced unless you create an affiliation. Additionally, usage flags can only be updated and managed on these affiliation attributes. You cannot directly update usage flags for the custom complex or array-type attributes.
To create a complex system attributes for an orchestrated system:
  1. From the Oracle Access Governance navigation menu icon Navigation menu, select Service Administration → Orchestrated Systems.
  2. Select the Manage integration option from the action menu action menu for the orchestrated system you want to configure. The Manage Integration page for the selected orchestrated system is displayed.
  3. From the Data settings section, select Manage on the Identity attributes tile.
    This tile is available only for orchestrated systems supporting Authoritative sources.
  4. On the Attributes tab, select + Create a system attribute.
    The Create an identity attribute for this system page is displayed.

Add details

  1. What is the display name?: Enter the attribute display name to be used on Console.
  2. What is the data type?: Select Complex.
  3. Which attribute is it uniquely referenced by?: Enter unique identifier to distinguish one entry from another, such as employeeRecord.
  4. Click Next.

Value Source

  1. What is the system attribute name?: Enter the system attribute name for this attribute. For example, jobData.
    Complex attributes are multivalued and its child attributes can be referred once you create Affiliations.
  2. Review the information and click Create. The Custom Complex Attribute details page is displayed to add child attributes.

Add Child Attribute

  1. Click +Create a child attribute.
  2. Follow the same steps as you do for adding a simple attribute. For more details, see Create System Attribute.
  3. Repeat this process to add additional child attributes.

Create an Oracle Access Governance Attribute

Create an AG attribute defined and computed within Oracle Access Governance system and not associated with any orchestrated system. You can use it for defining Oracle Access Governance features, such as guardrails, identity collections, or for creating mapping rules or for derived values.

AG Attributes are represented by the Internal system.
  1. On the Identity Attributes page, select + Create an AG attribute.
    The Create an AG identity attribute page is displayed.

Add details

  1. What should AG call it?: Enter the attribute name.
  2. What is the display name?: Enter the attribute display name to be used on Console.
  3. What is the Data type?: Select one of the primitive data types, such as Boolean, long, number, integer, and string.
  4. Click Next.

Add rule

  1. Enter the rule you want to apply to this operation/attribute. For more information, see Data Transformation Rules Reference.
  2. Click Validate.

    If the rule is valid then you will see a confirmation message and the rule will be marked as validated. If there is an issue with the rule, then you will see an error message and the rule will be marked as invalid. You cannot save your rule if it is marked as invalid.

Setup usage

  1. Select the appropriate feature check box to include the attribute from the feature. See View Attribute Details.
  2. Click Next and perform the final review.
  3. Click Create.

Manage Global Identity Attributes

You can modify identity attributes by updating the Orchestrated System from which the attribute is populated, and applying rules to modify the attribute value.

To modify global identity attributes, perform the following steps on the Identity Attributes page:
  1. In the Oracle Access Governance Console, from the Navigation menu navigation menu, select Service Administration.
  2. For a specific identity attribute, click the Edit Icon Edit icon corresponding to the attribute that you want to modify.
    The identity attribute fields are displayed in the editable mode letting you update attributes in a single edit operation.
  3. To update which Orchestrated System should be used to populate the attribute, select an appropriate Orchestrated System from the Which orchestrated system? list.

    For Oracle Cloud Infrastructure (OCI) orchestrated system, an additional option is displayed, Which domain?. If you have multiple domains in your OCI tenancy, select an appropriate OCI Identity and Access Management domain to use as the source of truth for your identities.

  4. Use direct attribute value or add a rule:
    1. In Populated, select the Change link.
    2. For using the attribute value as-is with no data transformation, select Use the <attributename> value directly. This action displays the value Directly in the Populated field.
    3. For applying rules, select Build a rule around the <attributename>.
    4. Enter the rule and click Validate to check your syntax. For further details on syntax refer to Data Transformation for Inbound and Outbound Rules. You cannot apply rules to nested attributes (<parent>.<child>).
    5. Click Apply. This action displays the value By rule in the Populated field.
  5. Select appropriate identity flags to include attributes in the feature.
  6. After performing your edits, click tick Apply. This preserves your changes. You can continue editing other attributes following the same process.
  7. Click Save to apply your changes and update all the attributes at once.
    The Last updated by column displays the administrator name who performed the most recent update.

Fetch Latest Custom Attributes

Refreshes the schema objects only and does not ingest data. Run data load or wait for the next data load to populate values. Encrypted attributes are never fetched or displayed.

  1. From the Oracle Access Governance navigation menu icon Navigation menu, select Service Administration → Orchestrated Systems.
  2. Select the Manage integration option from the action menu action menu for the orchestrated system you want to configure. The Manage Integration page for the selected orchestrated system is displayed.
  3. From the Data settings section, select Manage on the Identity attributes tile.

    Note:

    This tile is available only for orchestrated system supporting Authoritative sources.
  4. Select Fetch attributes and then select Fetch.

Note:

This action won't ingest the attribute data from the orchestrated system but will just load the schema objects. To fetch and use the attributes' data, you either have to wait for the next upcoming scheduled data sync operation or manually run the data load operation. See the Configure Settings for an Orchestrated System topic.

Requirements and Rules for Managing Identity Attributes

Identity attributes are governed by certain requirements and rules. Let's see a few of them:

  • A custom attribute that is encrypted in your schema will not be available in Oracle Access Governance and won't show up on the Identity Attributes page.
  • You can create custom simple and custom complex attributes. Simple attributes are part of global identity profile automatically and custom complex attributes are exposed via affiliations.
  • You can choose to use the custom attribute value directly or modify the value of the attribute by applying transformation rules. For example, concatenating employee number with first name to set a display name.
  • You cannot edit complex attribute defined as array.
  • If you change a nested attribute (<parent>.<child>), then a list of additional dependent attributes will be affected and displayed. For example, if you update the orchestrated system for the attribute name.firstName. To ensure data integrity, the surname of the identity should come from the same Orchestrated System, so a message will be displayed This will also change the orchestrated system for attributes: name.lastName. When you save the change, both attributes will be updated.
  • For Oracle Cloud Infrastructure (OCI) orchestrated system, an additional option is displayed, Which domain?. If you have multiple domains in your OCI tenancy, select an appropriate OCI Identity and Access Management domain to use as the source of truth for your identities. If you have already run a dataload from your OCI Orchestrated System, you can select from a list of available domains ingested from the OCI system. If the dataload has not been run you can enter the domain name using free text.
  • In cases where complex Custom attributes are defined, such as Job Code, represented as arrays
    jobCode{
  Attr1,
  Attr2,
}
    On its own, the jobCode array cannot be directly referenced or utilized in Oracle Access Governance features unless you create an affiliation. Affiliations provide a mechanism to expose individual child attributes from complex attributes by defining corresponding affiliation attributes. Through affiliation rules, you can map values from the complex attribute to specific affiliation attributes. Furthermore, usage flags can only be updated and managed on these affiliation attributes. Direct updates to usage flags are not available for the original complex or array-type attributes.