Identity Governance contains a default schema for entities that you collect in the catalog. If the default schema provided does not meet your needs, you can extend the Identity Governance schema. Extending the schema is a simple process.
To extend the schema, add attributes to the default schema. You can view the default schema for Identity Governance in the console. Log in as a Global or Data administrator to view the schema, which is listed under the Data Administration menu.
Identity Governance provides a simple way to extend the schema for the different entities. You can add additional attributes and define properties. You can also download attributes as JSON files to edit the properties. After editing, you can import the attributes to the page that lists all attributes for a given entity.
Log in to Identity Governance as a Global or Data Administrator.
Under Data Administration, select the entity where you want to add or edit the attribute.
Identity
Account
Permission
Business Roles
Application
NOTE:Identity Governance does not allow you to extend the schema for groups and permission assignments.
Select the plus sign + to add a new attribute or select an existing default or custom attribute to edit the properties.
Add or edit the attribute by configuring the following:
NOTE:Some values might not be editable, depending on factors such as the Attribute Behavior settings and collection status.
Specify the attribute name and key. Use the same value for both fields. The attribute name must be unique to your Identity Governance environment.
Select the type of attribute you want to create. Attribute data types are String, Boolean, Double, Long, Date, and Locale. Attribute data types cannot be edited after collection.
IMPORTANT:Boolean and Locale type attributes do not support multiple values. Do not change these data types to another data type after saving the attribute. If you do, the attribute might still display that multiple values are not allowed. We recommend that you delete the custom attribute and recreate it when you need to change an attribute data type from Boolean and Locale to another data type.
Specify the number of characters allowed for the value of this attribute.
Enable to allow the system to handle values longer than the attribute’s maximum size. If you do not enable this option, and the value is longer than the maximum size, an error will occur and the record is not collected.
Select the behavior of the attribute. The attribute can be required, allowed to change, allowed to have multiple values, or allowed to have a static value. Static values enclosed in double quotes allow you to provide the same attribute value for all collected objects. For example, to set the same values of cost = 10, type = regular, and privileged = false for all collected Accounts, configure the account collector with the static values in double quotes for these attributes. This is a great way to set a default value that you can override using collector transforms or by editing the attributes as needed after collection.
Select how you want the attribute displayed in Identity Governance.
Allows anyone with rights to view reviews to see the attribute. This option does not allow the attribute to be changed.
Allows administrators to view and change the information in the Identity Governance console.
Allows administrators to store the attribute in the table columns.
Allows administrators to specify which attributes to review when creating User Profile Review definition.
Select how you want the new attribute to be searched for in Identity Governance.
Available in catalog searches. Changes take effect after publication.
Display as refine search option.
Display in review item selection criteria.
Display in business role selection criteria.
IMPORTANT:For all attributes that you have configured for authentication matching rules using the Identity Governance Configuration Utility, ensure that you enable the following list and search options for identity attributes:
Display in lists and detail views.
Available in catalog searches. Changes take effect after publication.
Select Save.
If a collector you use does not contain the schema you need, you can add attributes to extend the schema of the collector. You must have already created and configured the collector before performing the following steps.
Log in to Identity Governance as a Global Administrator.
Select Data Sources.
Select Identities, Applications, or Application Definitions.
Select Your Data Source.
In the collector page, select the collector name to view details.
Based on your collector, select Collect Identity, Collect Permission, or Collect Application.
Scroll down the list of parameters and click Add attribute.
Configure parameters to define the attribute.
Select Save.
When you create a business role, you define a membership expression that searches for all users who meet a certain criteria to be added to the business role. For more information, see Section 19.2, Creating and Defining Business Roles.
The Membership expression lists all of the available attributes you can match under the Title field. This list matches the list displayed under Data Administration > Business Roles. If you want to add more items to this list, you must add a new attribute to the business roles schema.
NOTE:Only Bootstrap, Customer, Global, Data or Business Role Administrators have rights to administer the business role schema. For more information, see Section 4.8.1, Adding or Editing Attributes to Extend the Schema.