Identity Governance contains a default schema for entities that you collect in the catalog. If the default schema provided does not meet your needs, you can extend the Identity Governance schema. Extending the schema is a simple process.
To extend the schema, add attributes to the default schema. You can view the default schema for Identity Governance in the console. Log in as a Global or Data administrator to view the schema, which is listed under the Data Administration menu.
Identity Governance provides a simple way to extend the schema for the different entities. You can add additional attributes and define properties. You can also download attributes as JSON files to edit the properties. After editing, you can import the attributes to the page that lists all attributes for a given entity.
Log in to Identity Governance as a Global or Data Administrator.
Under Data Administration, select the entity where you want to add or edit the attribute.
Identity
Account
Permission
Business Roles
Application
NOTE:Identity Governance does not allow you to extend the schema for groups.
Select the plus sign + to add a new attribute or select an existing attribute to edit the properties.
Add or edit the attribute by configuring the following:
NOTE:Some values might not be editable, depending on the Attribute Behavior settings.
Specify the attribute name and key. Use the same value for both fields. The attribute name must be unique to your Identity Governance environment.
Select the type of attribute you want to create. The types are String, Boolean, Double, Long, Date, and Locale.
Specify the number of characters allowed for the value of this attribute.
Enable to allow the system to handle values longer than the attribute’s maximum size. If you do not enable this option, and the value is longer than the maximum size, an error will occur and the record is not collected.
Select the behavior of the attribute. The attribute can be required, allowed to change, allowed to have multiple values, or allowed to have a static value. Static values enclosed in double quotes allow you to provide the same attribute value for all collected objects. For example, to set the same values of cost = 10, type = regular, and privileged = false for all collected Accounts, configure the account collector with the static values in double quotes for these attributes. This is a great way to set a default value that you can override using collector transforms or by editing the attributes as needed after collection.
Select how you want the attribute displayed in Identity Governance.
Allows anyone with rights to view reviews to see the attribute. This option does not allow the attribute to be changed.
Allows administrators to view and change the information in the Identity Governance console.
Allows administrators to store the attribute in the table columns.
Allows administrators to specify which attributes to review when creating User Profile Review definition.
Select how you want the new attribute to be searched for in Identity Governance.
Available in catalog searches. Changes take effect after publication.
Display as refine search option.
Display in review item selection criteria.
Display in business role selection criteria.
IMPORTANT:For all attributes that you have configured for authentication matching rules using the Identity Governance Configuration Utility, ensure that you enable the following list and search options for identity attributes:
Display in lists and detail views.
Available in catalog searches. Changes take effect after publication.
Select Save.
If a collector you use does not contain the schema you need, you can add attributes to extend the schema of the collector. You must have already created and configured the collector before performing the following steps. For more information, see Section 6.0, Collecting Applications and Application Data.
Log in to Identity Governance as a Global Administrator.
Select Data Sources > Identities > Your Identity Source.
Select Collect Identity > Collect Identity Attributes > Add attribute.
Add the attribute by configuring the following:
Specify the attribute name and key. Use the same value for both fields. The attribute name must be unique to your Identity Governance environment.
Select the type of attribute you want to create. The types are String, Boolean, Double, Long, Date, and Locale.
Specify the number of characters allowed for the value of this attribute.
Enable to allow the system to handle values longer than the attribute’s maximum size. If you do not enable this option, and the value is longer than the maximum size, an error will occur and the record is not collected.
Select the behavior of the attribute. The attribute can be required, allowed to change, allowed to have multiple valued, or allowed to have a static value. Static values enclosed in double quotes allow you to provide the same attribute value for all collected objects. For example, to set the same values of cost = 10, type = regular, and privileged = false for all collected Accounts, configure the account collector with the static values in double quotes for these attributes. This is a great way to set a default value that you can override using collector transforms or by editing the attributes as needed after collection.
Select how you want the attribute displayed in Identity Governance.
Allows anyone with rights to view reviews to see the attribute. This option does not allow the attribute to be changed.
Allows administrators to view and change the information in the Identity Governance console.
Allows administrators to store the attribute in the table columns.
Select how you want the new attribute to be searched for in Identity Governance.
Available in catalog searches. Changes take effect after publication.
Display as refine search option.
Display in review item selection criteria.
Display in business role selection criteria.
Select Save.
When you create a business role, you define a membership expression that searches for all users who meet a certain criteria to be added to the business role. For more information, see Section 16.3, Defining Business Roles.
The Membership expression lists all of the available attributes you can match under the Title field. This list matches the list displayed under Data Administration > Business Roles. If you want to add more items to this list, you must add a new attribute to the business roles schema.
NOTE:Only Bootstrap, Global, Data or Business Role Administrator have rights to administer the business role schema. For more information, see Section 3.5.1, Adding or Editing Attributes to Extend the Schema.