Complete this task to discover attributes from a target system, import the attribute
names, and map them to permissions in the Access Governance Core
module.
Before you begin
This task applies to any schema that is integrated with Identity Governance and Intelligence. The schema is registered when the target
is created, whether the target is external or whether it is created by importing a profile with the
Target Administration Console.
For more information, see the following topics:
About this task
You can map attributes to permissions either individually or by importing the attributes from the
target system. This task provides steps for discovering the attributes from a target system,
importing them, and then mapping them to the permissions in the Identity Governance and Intelligence data model.
Note: Attribute values are not discovered and imported from the target. You must manually map each
attribute value to a corresponding rights value.
Procedure
-
Log in to the Administration Console.
-
Click Access Governance Core.
-
Select .
-
In the Account Configuration pane, select an account.
- Optional:
In the Attribute-to-Permission Mapping tab, click Filter
to toggle the filter on, or click Hide Filter to toggle the filter off. When
the filter is visible, you can specify search criteria and then click
Search.
-
In the Attribute-to-Permission Mapping tab, select .
The Discover Attributes from Target page is displayed.
-
On the Discover Attributes from Target page, select the attributes that
you want to import from the target system, and then click Import.
The attributes are added to the table on the Attribute-to-Permission Mapping tab. Initially, the permission name and
the attribute name are the same for each imported attribute.
-
To configure the mapping for each attribute, select the attribute and then select .
The Edit Attribute Mapping page is displayed.
-
On the Edit Attribute Mapping page, complete these fields:
- Attribute name
- This field is read-only. It shows the attribute name from the target system.
- Permission name
- Type the permission name that you want for Identity Governance and Intelligence.
Depending on the type of attribute, whether
boolean or
string, you need to complete different fields.
Option |
Description |
For boolean attribute types, complete these additional
fields |
- Required
- This field is always selected for boolean attribute types.
- Multi-value
- This field is never selected for boolean attribute types.
- Value if user has this permission
- Provide a value for when the user has this permission. For example,
yes.
- Value if user does not have this permission
- Provide a value for when the user has this permission. For example,
no.
|
For string attribute types, complete these additional fields to map
attribute values to rights values |
- Required
- Select this field to specify that the attribute is required. If an attribute is required on the
target system, it must also be required in Identity Governance and Intelligence.
- Multi-value
- Select this field to specify that the attribute has multiple values. Clear this field to specify
that the attribute has a single value. If this attribute is not multi-value on the target system,
then it cannot be multi-value in Identity Governance and Intelligence.
- Attribute Value
- Provide the name of the attribute value from the target system.
- Rights Value
- Provide the name of the rights value from the Identity Governance and Intelligence data model.
- Active
- If the value is active, select this check box. More than one value can be active.
- Default
- Select this option to specify the default attribute value. Only one value can be the default. If
this attribute is required, a default value must be selected. Inactive values cannot be specified as
the default.
To remove a value from this attribute, click the trash icon that is next to the value. If any
users have a permission with this value, removing a value might cause errors.
To add more values to this attribute, click Add Value.
|
-
Click Save.
The mapping for the attribute and permission is added to the table on the Attribute-to-Permission Mapping tab.
What to do next
On subsequent discoveries from the same target system, the attributes that are already
mapped are displayed in read-only mode on the Discover Attributes from Target
page. If you want to remove mappings, go to the Attribute-to-Permission Mapping tab and select .