Attributes in an identity feed that are not in a schema
You can include some attributes in an identity feed that
are not contained in the identity feed object class (organizationalPerson
for Windows Server Active Directory; inetOrgPerson
for IBM Verify Identity Governance).
For example,
the erRoles
attribute determines
a user's membership in a IBM Verify Identity Governance group.
The erRoles
attribute is not in either the organizationalPerson
or
the inetOrgPerson
schema. Based on the value of the erRoles
attribute
in an initial identity feed, a user might become a member of a customized
group. The user might also become a member of a default Help Desk
Assistant group.
A repeated identify feed might not contain
a value for an attribute
that was previously specified for the user, for both organizationalPerson
and inetOrgPerson
schemas.
The identity feed process deletes that attribute for the IBM Verify Identity Governance user.
If the incoming identity record for a user initially indicates membership in a customized group, Identity Manager includes the user as a member of both the customized group and the default group of the same category. Identity Manager interprets a subsequent identity feed that includes the same user as a modification of the existing Identity Manager user. If the subsequent identity feed specifies that the user has membership only in the customized group, and not also in the default group of the same category, the user is removed from membership in the default group. To avoid this problem, ensure that both initial and subsequent identity feeds specify that a user has membership in both a customized and the default group of the same category.
For
the Windows Server Active Directory feed,
this problem also occurs for any inetOrgPerson
attribute
that is not also contained in the organizationalPerson
schema.
For an inetOrgPerson
identity feed, the problem occurs
for any inetOrgPerson
attribute that is not supported
by the identity feed.