Attribute properties
When we add or modify an attribute, we specify properties that make that attribute unique.
Add attributes
Specify the following properties when adding an attribute:
- Name
- A unique name for the attribute.
- Description
- A description of the attribute.
- Identifier
- The internal name of the attribute used in the generated XACML policy.
- Issuer
- The identifier of the policy information point from which the value of the attribute is retrieved. If an attribute can be returned from multiple policy information points, the issuer property specifies which policy information point to use. Use this field only if we are using a policy information point. Otherwise, leave this field blank.
- Type
- Attribute is used for policies or risk profiles or both. If neither check box is selected, the attribute is not available for policies or risk profiles.
- Category
- The part of the XACML request the attribute value comes from.
- Data type
- The type of values the attribute can handle. In a policy rule with an attribute, the data type indicates how the attribute can be compared to a value. In a risk profile, the risk matchers compare attribute values that have the same data type.
- Matcher
- An attribute matcher compares the values of a specified attribute in the incoming device fingerprint with the existing device fingerprint of the user.
- Storage Domain
- The storage domain indicates whether the attribute is stored as a device, session, or behavior attribute.
- Device fingerprint data
- Consists of attributes that are stored when a device is registered. The incoming device fingerprint is compared against this stored repository of trusted device fingerprints.
- Session data
- Consists of the session attributes of the user that are stored temporarily until the session times out. However, if the device is registered, the session attributes are also stored as part of the device fingerprint. If session is selected, the attribute is collected in the user’s session.
- Behavior data
- Is historic data stored in the database and used for behavior-based attribute matching. For example, the login timestamps of the user over the previous three months. If an attribute is included in a risk profile configuration and the storage domain is not specified, the default storage domain is device.
Modify attributes
All the properties for an attribute are displayed. However, we can modify only some of attribute properties. Also, if an attribute is included in a policy, we cannot make further updates to the attribute.
We can modify the following properties:
- Editable properties of predefined attributes
- Storage Domain
- The storage domain indicates whether the attribute is stored as a device, session, or behavior attribute. If session is selected, the attribute is collected in the user’s session. If an attribute is included in a risk profile configuration and the storage domain is not specified, the default storage domain is device.
- Editable properties of custom attributes
- Name
- A unique name for the attribute.
- Description
- A description of the attribute.
- Identifier
- The internal name of the attribute used in the generated XACML policy.
- Issuer
- The identifier of the policy information point from which the value of the attribute is retrieved. If an attribute can be returned from multiple policy information points, the issuer property specifies which policy information point to use. Use this field only if we are using a policy information point. Otherwise, leave this field blank.
- Type
- Attribute is used for policies or risk profiles or both. If neither check box is selected, the attribute is not available for policies or risk profiles.
- Category
- The part of the XACML request the attribute value comes from.
- Data type
- The type of values the attribute can handle. In a policy rule with an attribute, the data type indicates how the attribute can be compared to a value. In a risk profile, the risk matchers compare attribute values that have the same data type.
- Matcher
- An attribute matcher compares the values of a specified attribute in the incoming device fingerprint with the existing device fingerprint of the user.
- Storage Domain
- The storage domain indicates whether the attribute is stored as a device, session, or behavior attribute. If session is selected, the attribute is collected in the user’s session. If an attribute is included in a risk profile configuration and the storage domain is not specified, the default storage domain is device.
Parent topic: Attributes
Related tasks