Search filter attribute with multiple values displays comma-separated strings

When we use the Search Filter on any IBM Security Identity Manager forms, if adding the source entity with an attribute (Source Attribute) of multiple values, multiple values are displayed in comma-separated strings. This problem occurs instead of showing the "attribute" of the source entity when you reopen the form.

IBM Security Identity Manager provides a fix to resolve the display attribute correctly when multiple values are stored for a source attribute that are configured in the Search Filter widget.

A new configurable field, Source Attribute Delimiter, is added in the Search Filter Editor dialog box. The following notes describe important items to remember when we use the Source Attribute Delimiter.

• The administrator can specify a delimiter in the Source Attribute Delimiter field. ISIM uses the delimiter to separate the multiple values, while you construct a value string to be set on the attribute configured as Search filter. For example, if an attribute, say “Region”, on Person form is configured as a Search Filter with the following fields.

  For a selected location, EMEA, if the countries attribute has the following values: UK, France, Germany, then on the person’s Region attribute, they are stored as UK|France|Germany.

  ISIM uses '|' to separate the individual values. It is also used to construct LDAP search filter.

  For example, part of the filter looks like the following.

  (&(countries=UK)(countries=France)(countries=Germany).

  If any location entity is found with all these values, the Attribute (l in the example) value in the source entity is displayed. Otherwise, the stored value is displayed.

• The Source Attribute Delimiter field in the Search Filter Editor dialog box is optional. By default, no values are specified for it. It can be configured to use a single or multiple characters as source attribute delimiter.
• We must configure the delimiter to a value that is not in the source attribute values. Otherwise,IBM Security Identity Manager cannot retrieve the individual values accurately and the source entity is not resolved properly.

• If the source attribute delimiter is not specified, and the source attribute of the entity contains multiple values, then the values are stored without any delimiter.

  For example: If an attribute, Region on Person form is configured as a Search Filter with the following fields.

  For a selected location, EMEA, if the Countries attribute has values, UK, France, Germany, then on person’s Region attribute, they are stored as "UKFranceGermany".

  When user opens the person form, IBM Security Identity Manager will not find a location with the value UKFranceGermany in the Countries attribute.

  Hence, IBM Security Identity Manager does not resolve the value and display it as it is instead of displaying EMEA.

• While rendering the form, IBM Security Identity Manager tries to separate the values using the configured delimiter and form the LDAP search filter using each separated individual values. If an entity matching the LDAP search filter is found, then the display attribute is shown on the form. Otherwise the stored value displays. This also means that if the source attribute value set on the source entity has some additional data, then IBM Security Identity Manager resolves the display attribute value using the values in the target entity.

  For example, if an attribute, Region on person's form is configured as a Search Filter with the following fields.

  For a selected location, EMEA, if the Countries attribute has values, UK, France, Germany, then on person’s Region attribute, they are stored as UK|France|Germany..

  If the EMEA location is modified, and a new value, Sweden is added to Countries attribute, IBM Security Identity Manager resolves the Region as EMEA, when a user opens the form.

  The new value, Sweden, is added to the Region attribute only when the existing location, EMEA, is removed and then added again in the person form. Otherwise, the person’s Region value set is not modified.

• The Source Attribute Delimiter is used only for Source Attribute and not in the Attribute fields. If the multi-valued source attribute is also configured as display attribute (source and display attribute are same) and multiple values exist on source entity, then on the form (for example, person, account, and so on), IBM Security Identity Manager shows only the first value.

  However, for the same scenario, IBM Security Identity Manager shows multiple values as a comma-separated list, in the to-do information table, provisioning policy entitlement table, service defaults, and so on..

Parent topic: Form designer interface