User entry attributes for default IBM Security Verify Access configurations
The adapter profile by default enables on the account form only IBM Security Verify Access attributes.
The attribute labels, names, and types are listed in Table 1.
| Name | Attribute name in schema | Schema | Note |
|---|---|---|---|
| User ID | eruid | Directory String | |
| User password | erpassword | Binary | |
| Password Last Changed | eritampwdlastchanged | Directory String | This attribute cannot be modified. |
| Distinguish Name | eritamdn | DN | |
| Full Name | cn | Directory String | |
| Last Name | sn | Directory String | |
| Description | description | Directory String | |
| Max number of failed logon | eritammaxfailedlogon | Integer | |
| Disable time interval | eritamdisabletime | Integer | |
| Max concurrent web sessions | eritameritammaxwebsessions | Integer | |
| Max password age | eritameritammaxpwdage | Integer | |
| Do Not Enforce Password Policy | eritamppolicy | Boolean | |
| Change Password on Next Login | eritampvalid | Boolean | |
| Single Signon Capability | eritamsinglesign | Boolean | |
| Group Membership (multi-value attribute) | eritamgroupname | Directory String | |
| SSO Credentials (multi-value attribute) | eritamcred | Directory String | |
| Date of last access | erlastaccessdate | Directory String | |
| State of the account | eraccountstatus | Integer |
The IBM Security Verify Access Adapter is designed to work with user entry attributes from object classes that are defined in the IBM Security Verify Access configuration. Typically for non-Active Directory configuration, the user entry object classes are inetOrgPerson, organizationPerson and Person. For Active Directory typical configuration, the user entry object class is User.
The adapter schema contains attributes from inetOrgPerson, organizationPerson, and Person object classes. These attributes are shown in Table 2.
| Attribute | Attribute | Attribute |
|---|---|---|
| BusinessCategory | homePostalAddress | PreferredLanguage |
| CarLicense | initials | RegisteredAddress |
| HomePhone | L | RoomNumber |
| DepartmentNumber | Secretary | |
| preferreddeliverymethod | manager | UserPassword |
| DestinationIndicator | mobile | St |
| DisplayName | Pager | Street |
| EmployeeNumber | physicalDeliveryOfficeName | TelephoneNumber |
| EmployeeType | postalAddress | teletexTerminalIdentifier |
| FacsimileTelephoneNumber | postalCode | TelexNumber |
| GivenName | postOfficeBox | Title |
The adapter schema also contains attributes from the User object class. Table 3 lists attributes from the User object class only. Some of these attributes have different names in the Identity server schema and Windows Active Directory schema. The names mapping and attribute description are also shown in this table.
| Windows Active Directory Attribute | IBM® Tivoli® Directory Server Attribute | Description | Note |
|---|---|---|---|
| accountExpires | ntUserAcctExpires | Account expires on AD Account Tab | IBM Security Verify Directory Integrator does the advanced mapping to support this attribute. |
| c | c | Country/region on AD Address Tab | |
| co | co | Country/region on AD Address Tab | |
| company | company | Company on AD User Organization Tab | To support its management, this attribute is added to the IBM Security Directory Server schema during the importation of the IBM Security Verify Access profile. |
| countryCode | countryCode | Country/region on AD Address Tab | |
| department | department | Department on AD User Organization Tab | To support its management, this attribute is added to the IBM Security Directory Server schema during the importation of the IBM Security Verify Access profile. |
| displayName | displayName | Display name on AD General Tab | |
| facsimileTelephone Number | facsimileTelephone Number | Fax on AD Telephones Tab | |
| homeDirectory | NTUserHomeDir | Home folder: Local path/To on AD Profile Tab | IBM Security Verify Directory Integrator does the advanced mapping to support this attribute. |
| homeDrive | ntUserHomeDirDrive | Home folder: Connect on AD Profile Tab | IBM Security Verify Directory Integrator does the advanced mapping to support this attribute. |
| homePhone | homePhone | Home on AD Telephones Tab | |
| info | info | Notes on AD Telephones Tab | |
| initials | initials | Initials on AD General Tab | |
| ipPhone | ipPhone | IP phone on AD User Telephones Tab | To support its management, this attribute is added to the IBM Security Directory Server schema during the importation of the IBM Security Verify Access profile. |
| l | l | City on AD Address Tab | |
| Email on AD General Tab | |||
| manager | manager | DN of manager on AD Organization Tab | |
| mobile | mobile | ||
| otherFacsimile TelephoneNumber | otherFacsimile TelephoneNumber | Fax Number (Others) on AD User Telephones Tab | To support its management, this attribute is added to the IBM Security Directory Server schema during the importation of the IBM Security Verify Access profile. |
| otherHomePhone | otherHomePhone | Home Phone (Others) on AD User Telephones Tab | To support its management, this attribute is added to the IBM Security Directory Server schema during the importation of the IBM Security Verify Access profile. |
| otherIpPhone | otherIpPhone | IP Phone Number (Others) on AD User Telephones Tab | To support its management, this attribute is added to the IBM Security Directory Server schema during the importation of the IBM Security Verify Access profile. |
| otherMobile | otherMobile | Mobile Number (Others) on AD User Telephones Tab | To support its management, this attribute is added to the IBM Security Directory Server schema during the importation of the IBM Security Verify Access profile. |
| otherPager | otherPager | Pager Number (Others) on AD User Telephones Tab | To support its management, this attribute is added to the IBM Security Directory Server schema during the importation of the IBM Security Verify Access profile. |
| otherTelephone | otherTelephone | Phone Number (Others) on AD User General Tab | To support its management, this attribute is added to the IBM Security Directory Server schema during the importation of the IBM Security Verify Access profile. |
| pager | pager | Pager on AD Telephones Tab | |
| physicalDelivery OfficeName | physicalDelivery OfficeName | Office on AD General Tab | |
| postalCode | postalCode | Zip/Postal Code on AD Address Tab | |
| postOfficeBox | postOfficeBox | P.O. Box on AD Address Tab | |
| profilePath | profilePath | Profile path on AD User Profile Tab | To support its management, this attribute is added to the IBM Security Directory Server schema during the importation of the IBM Security Verify Access profile. |
| sAMAccountName | sAMAccountName | User logon name (preWindows 2000) on AD User Account Tab | To support its management, this attribute is added to the IBM Security Directory Server schema during the importation of the IBM Security Verify Access profile. |
| scriptPath | ntUserScriptPath | Log on script on AD Profile Tab | IBM Security Verify Directory Integrator does the advanced mapping to support this attribute. |
| st | st | State/province on AD Address Tab | |
| streetAddress | streetAddress | Street on AD Address Tab | |
| telephoneNumber | telephoneNumber | Telephone number on AD General Tab | |
| title | title | Title on AD Organization Tab | |
| url | url | Web Page Address (Others) on AD General Tab | |
| userPrincipalName | userPrincipalName | User logon name on AD Account Tab | |
| userWorkstations | ntUserWorkstations | Log On To/Logon Workstations on AD Account Tab | IBM Security Verify Directory Integrator does the advanced mapping to support this attribute. |
| wWWHomePage | wWWHomePage | Web page on AD User General Tab | To support its management, this attribute is added to the IBM Security Directory Server schema during the importation of the IBM Security Verify Access profile. |
Attributes such as userAccountControl, non-modifiable attributes such as the memberOf and logonHours attribute are not supported. These attributes have INTEGER8 syntax; hence it would be difficult to manage them on the account form.
To manage any of the user entry attributes, complete the following steps:
- Manage inetOrgPerson entry attribute:
-
- Include the attribute in targetProfile.json file:
- Copy the
itamprofile.jarfile into a temporary directory. - Extract the contents of` the
itamprofile.jarfile into the temporary directory by running the following command:cd c:\temp jar -xvf itamprofile.jarThe jar command creates the c:\temp\itamprofile directory.
- Open the targetProfile.json file in a text editor. Find the section for
'userExtension'. It looks like
this:
"userExtension": { "schema": "urn:ibm:idbrokerage:params:scim:schemas:extension:itamaccount:2.0:User", "definition": { "id": "urn:ibm:idbrokerage:params:scim:schemas:extension:itamaccount:2.0:User", "name": "CustomUserExtension", "description": "Security adapter view of a user", "attributes": [ { "name": "eruid", "type": "string", multiValued": false, "description": "A identifier used to uniquely identify a user", "required": true, "caseExact": false, "mutability": "immutable", "returned": "default", "uniqueness": "server", "specialFlags": "sys" },The attributes section contains an array of attribute definitions. Each definition is separated by a comma. You can add the required attributes to this section. An attribute object contains these fields:Field Description name Attribute name type Data type (string, integer, boolean, binary) multiValued True; if attribute can have multiple values description Attribute description text required True; if required attribute caseExact True; if value is case sensitive mutability Immutable, read, write, read-write returned Use "default" uniqueness Use "server" specialFlags Use "none" canonicalValues Optional list of valid values for this attribute as a JSON array The attribute object is enclosed in braces ({}). Each field has the name in quotes followed by a colon and the value. Each field is separated by a comma. Below is an example from the ISAM adapter:{ "name": "eruid", "type": "string", multiValued": false, "description": "A identifier used to uniquely identify a user", "required": true, "caseExact": false, "mutability": "immutable", "returned": "default", "uniqueness": "server", "specialFlags": "sys" }Add the attributes to the account class. For example:"userExtension": { "schema": "urn:ibm:idbrokerage:params:scim:schemas:extension:itamaccount:2.0:User", "definition": { "id": "urn:ibm:idbrokerage:params:scim:schemas:extension:itamaccount:2.0:User", "name": "CustomUserExtension", "description": "Security adapter view of a user", "attributes": [ { "name": "eruid", "type": "string", "multiValued": false, "description": "A identifier used to uniquely identify a user", "required": true, "caseExact": false, "mutability": "immutable", "returned": "default", "uniqueness": "server", "specialFlags": "sys" }, … { "name": "givenName", "type": "string", "multiValued": false, "description": "givenName", "required": false, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none", "specialFlags": "none" } ] },Ensure that each attribute definition is separated with a comma. Once the file is updated, verify the syntax is correct by using one of the available JSON lint sites.
- Create the profile JAR file and import to IBM Security Verify Governance.
- Copy the
- Discovering attributes from a target system by following the steps given in the IBM Security Verify Governance documentation.
- Include the attribute in targetProfile.json file:
- Manage User entry attribute
- Discovering attributes from a target system by following the steps given in the IBM Security Verify Governance documentation/