Supported formats and special processing of attributes

IBM Verify Identity Governance provides special processing for manager and secretary attributes, and for the erRoles attribute.

Supported formats and special processing for manager and secretary attributes

The manager and secretary attributes refer to another person entry within IBM Verify Identity Governance.

Note: The Windows Server Active Directory identity feed maps the Windows Server Active Directory assistant attribute to the secretary attribute.

Internally, IBM Verify Identity Governance uses a special format for the Distinguished Name (DN) of person directory entries. The format is inconvenient and difficult to specify in the identity feed data. So the identity feed code allows these attributes to be specified in more useful formats. IBM Verify Identity Governance supports three formats for the values:

  • A search filter (containing an equal (=) operator, but not erglobalid) that is a comma-separated list of attribute=value pairs.
  • A simple name (not containing an equal (=) operator), which is assumed to be the value of the naming attribute for the person object class (that is, cn).
  • A full IBM Verify Identity Governance DN (containing an equal (=) operator and erglobalid). The expression must exactly match the IBM Verify Identity Governance LDAP DN of one of the currently defined person objects.

For the first two cases, IBM Verify Identity Governance converts the value to an LDAP search filter. The process does a subtree search of the organization to find a unique matching person. If the search returns zero matches, or more than one match, then the value is considered invalid, and is removed from the list. A suitable warning message is written to the IBM Verify Identity Governance log.

A potential issue can occur with both the manager and secretary attributes if they reference a person who is also defined in the same feed. In this case, it is possible that when the attribute value is processed as above, the person that it references is not yet been created. This issue can occur even if the manager or secretary person is defined earlier in the identity feed file. The cause is multithreaded and asynchronous processing done by IBM Verify Identity Governance during an identity feed. This situation results in deleting the attribute from the person, because the attribute references an invalid person. A warning is written to the logs.

There are two solutions to this reference dependency issue. First, run the identity feed a second time, after all processing completes from the first run. This second feed is much faster, because only changed entries cause in any significant processing during the feed. Alternatively, define these people (managers and secretaries) in a separate identity feed file. Run that identity feed first, then run the main feed after the first feed fully completes. This separate, first feed might also contain entries that reference managers that are defined in the same feed. You might need to run the separate, first feed twice, or split the feed again.

Asynchronous workflow activities to create or modify people might still be running, even after the identity feed status seems to be complete. In this case, you must wait for an additional interval of time after the first feed seems to be complete, before submitting the second feed.

Supported formats and special processing for erRoles attribute values

The erRoles attribute is used to specify the list of roles to which a person belongs. In IBM Verify Identity Governance, groups are equivalent to roles that IBM Verify Identity Governance, as an enterprise product, provides. IBM Verify Identity Governance uses the erRoles attribute to specify the groups to which a user belongs. For example, specifying an identity feed attribute erRoles with a value of Help Desk Assistant causes the user to belong to the Help Desk Assistant group. The erRoles attribute can be multi-valued.

These formats are supported:
  • A simple name (not containing an equals (=) operator), which is assumed to be the value of the erRoleName attribute. IBM Verify Identity Governance does a subtree search to find a unique matching static role. The name is not valid if zero or more than one role is a match.
  • A full IBM Verify Identity Governance DN, which must exactly match the IBM Verify Identity Governance LDAP DN of one of the currently defined static roles.

Any invalid value is removed from the value list. If this results in zero remaining values, the attribute is removed from the attribute list. A suitable warning message is written to the log.