Attributes in an identity feed that are not in a schema

We can include some attributes in an identity feed that are not contained in the identity feed object class (organizationalPerson for Active Directory; inetOrgPerson for IBM Security Identity Manager)..

For example, the erRoles attribute determines a user's membership in a IBM Security Identity Manager group. The erRoles attribute is not in either the organizationalPerson or the inetOrgPerson schema. Based on the value of the erRoles attribute in an initial identity feed, a user might become a member of a customized group. The user might also become a member of a default Help Desk Assistant group.

A repeated identify feed might not contain a value for an attribute that was previously specified for the user, for both organizationalPerson and inetOrgPerson schemas. The identity feed process deletes that attribute for ISIM user.

If the incoming identity record for a user initially indicates membership in a customized group, Security Identity Manager includes the user as a member of both the customized group and the default group of the same category. Security Identity Manager interprets a subsequent identity feed that includes the same user as a modification of the existing Security Identity Manager user. If the subsequent identity feed specifies that the user has membership only in the customized group, and not also in the default group of the same category, the user is removed from membership in the default group. To avoid this problem, ensure that both initial and subsequent identity feeds specify that a user has membership in both a customized and the default group of the same category.

For the Active Directory feed, this problem also occurs for any inetOrgPerson attribute that is not also contained in the organizationalPerson schema. For an inetOrgPerson identity feed, the problem occurs for any inetOrgPerson attribute that is not supported by the identity feed.

Parent topic: Identity feed management