Discovering attributes from a target system

Complete this task to discover attributes from a target system, import the attribute names, and map them to permissions in the Access Governance Core module.

Before you begin

This task applies to any schema that is integrated with Identity Governance and Intelligence. The schema is registered when the target is created, whether the target is external or whether it is created by importing a profile with the Target Administration Console.

For more information, see the following topics:

About this task

You can map attributes to permissions either individually or by importing the attributes from the target system. This task provides steps for discovering the attributes from a target system, importing them, and then mapping them to the permissions in the Identity Governance and Intelligence data model.

Note: Attribute values are not discovered and imported from the target. You must manually map each attribute value to a corresponding rights value.

Procedure

Log in to the Administration Console.
Click Access Governance Core.
Select Manage > Accounts.
In the Account Configuration pane, select an account.
Optional: In the Attribute-to-Permission Mapping tab, click Filter to toggle the filter on, or click Hide Filter to toggle the filter off. When the filter is visible, you can specify search criteria and then click Search.
In the Attribute-to-Permission Mapping tab, select Actions > Discover account attributes from target.
The Discover Attributes from Target page is displayed.
On the Discover Attributes from Target page, select the attributes that you want to import from the target system, and then click Import.
The attributes are added to the table on the Attribute-to-Permission Mapping tab. Initially, the permission name and the attribute name are the same for each imported attribute.
To configure the mapping for each attribute, select the attribute and then select Actions > Edit.
The Edit Attribute Mapping page is displayed.

On the Edit Attribute Mapping page, complete these fields:

Attribute name: This field is read-only. It shows the attribute name from the target system.
Permission name: Type the permission name that you want for Identity Governance and Intelligence.

Depending on the type of attribute, whether boolean or string, you need to complete different fields.

Option	Description
For `boolean` attribute types, complete these additional fields	Required This field is always selected for boolean attribute types. Multi-value This field is never selected for boolean attribute types. Value if user has this permission Provide a value for when the user has this permission. For example, `yes`. Value if user does not have this permission Provide a value for when the user has this permission. For example, `no`.
For `string` attribute types, complete these additional fields to map attribute values to rights values	Required Select this field to specify that the attribute is required. If an attribute is required on the target system, it must also be required in Identity Governance and Intelligence. Multi-value Select this field to specify that the attribute has multiple values. Clear this field to specify that the attribute has a single value. If this attribute is not multi-value on the target system, then it cannot be multi-value in Identity Governance and Intelligence. Attribute Value Provide the name of the attribute value from the target system. Rights Value Provide the name of the rights value from the Identity Governance and Intelligence data model. Active If the value is active, select this check box. More than one value can be active. Default Select this option to specify the default attribute value. Only one value can be the default. If this attribute is required, a default value must be selected. Inactive values cannot be specified as the default. To remove a value from this attribute, click the trash icon that is next to the value. If any users have a permission with this value, removing a value might cause errors. To add more values to this attribute, click Add Value.

Option

Description

For boolean attribute types, complete these additional fields

Required: This field is always selected for boolean attribute types.
Multi-value: This field is never selected for boolean attribute types.
Value if user has this permission: Provide a value for when the user has this permission. For example, yes.
Value if user does not have this permission: Provide a value for when the user has this permission. For example, no.

For string attribute types, complete these additional fields to map attribute values to rights values

Required: Select this field to specify that the attribute is required. If an attribute is required on the target system, it must also be required in Identity Governance and Intelligence.
Multi-value: Select this field to specify that the attribute has multiple values. Clear this field to specify that the attribute has a single value. If this attribute is not multi-value on the target system, then it cannot be multi-value in Identity Governance and Intelligence.
Attribute Value: Provide the name of the attribute value from the target system.
Rights Value: Provide the name of the rights value from the Identity Governance and Intelligence data model.
Active: If the value is active, select this check box. More than one value can be active.
Default: Select this option to specify the default attribute value. Only one value can be the default. If this attribute is required, a default value must be selected. Inactive values cannot be specified as the default.

To remove a value from this attribute, click the trash icon that is next to the value. If any users have a permission with this value, removing a value might cause errors.

To add more values to this attribute, click Add Value.

Click Save.
The mapping for the attribute and permission is added to the table on the Attribute-to-Permission Mapping tab.

What to do next

On subsequent discoveries from the same target system, the attributes that are already mapped are displayed in read-only mode on the Discover Attributes from Target page. If you want to remove mappings, go to the Attribute-to-Permission Mapping tab and select Actions > Remove.