Supported formats and special processing of attributes
IBM Security Identity Manager provides special processing for manager and secretary attributes, and for the erRoles attribute.
Supported formats and special processing for manager and secretary attributes
The manager and secretary attributes refer to another person entry within ISIM. The Active Directory identity feed maps the Active Directory assistant attribute to the secretary attribute.
Internally, ISIM uses a special format for the Distinguished Name (DN) of person directory entries. The format is inconvenient and difficult to specify in the identity feed data. So the identity feed code allows these attributes to be specified in more useful formats. ISIM supports three formats for the values.
- A search filter (containing an equal (=) operator, but not erglobalid) that is a comma-separated list of attribute=value pairs.
- A simple name (not containing an equal (=) operator), which is assumed to be the value of the naming attribute for the person object class (that is, cn).
- A full IBM Security Identity Manager DN (containing an equal (=) operator and erglobalid). The expression must exactly match ISIM LDAP DN of one of the currently defined person objects.
For the first two cases, IBM Security Identity Manager converts the value to an LDAP search filter. The process does a subtree search of the organization to find a unique matching person. If the search returns zero matches, or more than one match, then the value is considered invalid, and is removed from the list. A suitable warning message is written to ISIM log.
A potential issue can occur with both the manager and secretary attributes if they reference a person who is also defined in the same feed. In this case, it is possible that when the attribute value is processed as above, the person that it references is not yet been created. This issue can occur even if the manager or secretary person is defined earlier in the identity feed file. The cause is multithreaded and asynchronous processing done by ISIM during an identity feed. This situation results in deleting the attribute from the person, because the attribute references an invalid person. A warning is written to the logs.
There are two solutions to this reference dependency issue. First, run the identity feed a second time, after all processing completes from the first run. This second feed is much faster, because only changed entries cause in any significant processing during the feed. Alternatively, define these people (managers and secretaries) in a separate identity feed file. Run that identity feed first, then run the main feed after the first feed fully completes. This separate, first feed might also contain entries that reference managers defined in the same feed. We might need to run the separate, first feed twice, or split the feed again.
Asynchronous workflow activities to create or modify people might still be running, even after the identity feed status seems to be complete. In this case, we must wait for an additional interval of time after the first feed seems to be complete, before submitting the second feed.
Supported formats and special processing for erRoles attribute values
The erRoles attribute is used to specify the list of roles to which a person belongs. In IBM Security Identity Manager, groups are equivalent to roles that IBM Security Identity Manager, as an enterprise product, provides. ISIM uses the erRoles attribute to specify the groups to which a user belongs. For example, specifying an identity feed attribute erRoles with a value of Help Desk Assistant causes the user to belong to the Help Desk Assistant group. The erRoles attribute can be multi-valued.
These formats are supported:
- A simple name (not containing an equals (=) operator), which is assumed to be the value of the erRoleName attribute. IBM Security Identity Manager does a subtree search to find a unique matching static role. The name is not valid if zero or more than one role is a match.
- A full IBM Security Identity Manager DN, which must exactly match ISIM LDAP DN of one of the currently defined static roles.
Any invalid value is removed from the value list. If this results in zero remaining values, the attribute is removed from the attribute list. A suitable warning message is written to the log.
Parent topic: Identity feed management