Supported formats and special processing of attributes
IBM Verify Identity Governance provides
special processing for manager and secretary attributes, and for the erRoles
attribute.
Supported formats and special processing for manager and secretary attributes
The manager and secretary attributes refer to another person entry within IBM Verify Identity Governance.
Internally, IBM Verify Identity Governance uses a special format for the Distinguished Name (DN) of person directory entries. The format is inconvenient and difficult to specify in the identity feed data. So the identity feed code allows these attributes to be specified in more useful formats. IBM Verify Identity Governance supports three formats for the values:
- A search filter (containing
an equal (
=
) operator, but noterglobalid
) that is a comma-separated list of attribute=value pairs. - A simple name (not containing an
equal (
=
) operator), which is assumed to be the value of the naming attribute for the person object class (that is,cn
). - A full IBM Verify Identity Governance DN
(containing an equal (
=
) operator anderglobalid
). The expression must exactly match the IBM Verify Identity Governance LDAP DN of one of the currently defined person objects.
For the first two cases, IBM Verify Identity Governance converts the value to an LDAP search filter. The process does a subtree search of the organization to find a unique matching person. If the search returns zero matches, or more than one match, then the value is considered invalid, and is removed from the list. A suitable warning message is written to the IBM Verify Identity Governance log.
A potential issue can occur with both the manager and secretary attributes if they reference a person who is also defined in the same feed. In this case, it is possible that when the attribute value is processed as above, the person that it references is not yet been created. This issue can occur even if the manager or secretary person is defined earlier in the identity feed file. The cause is multithreaded and asynchronous processing done by IBM Verify Identity Governance during an identity feed. This situation results in deleting the attribute from the person, because the attribute references an invalid person. A warning is written to the logs.
There are two solutions to this reference dependency issue. First, run the identity feed a second time, after all processing completes from the first run. This second feed is much faster, because only changed entries cause in any significant processing during the feed. Alternatively, define these people (managers and secretaries) in a separate identity feed file. Run that identity feed first, then run the main feed after the first feed fully completes. This separate, first feed might also contain entries that reference managers that are defined in the same feed. You might need to run the separate, first feed twice, or split the feed again.
Asynchronous workflow activities to create or modify people might still be running, even after the identity feed status seems to be complete. In this case, you must wait for an additional interval of time after the first feed seems to be complete, before submitting the second feed.
Supported formats and special processing for erRoles attribute values
The erRoles
attribute
is used to specify the list of roles to which a person belongs. In IBM Verify Identity Governance,
groups are equivalent to roles that IBM Verify Identity Governance,
as an enterprise product, provides. IBM Verify Identity Governance uses
the erRoles
attribute to specify the groups to which
a user belongs. For example, specifying an identity feed attribute erRoles
with
a value of Help Desk Assistant
causes the user to
belong to the Help Desk Assistant group. The erRoles
attribute
can be multi-valued.
- A simple name (not containing an equals (
=
) operator), which is assumed to be the value of theerRoleName
attribute. IBM Verify Identity Governance does a subtree search to find a unique matching static role. The name is not valid if zero or more than one role is a match. - A full IBM Verify Identity Governance DN, which must exactly match the IBM Verify Identity Governance LDAP DN of one of the currently defined static roles.
Any invalid value is removed from the value list. If this results in zero remaining values, the attribute is removed from the attribute list. A suitable warning message is written to the log.