Creating, Updating and Deleting User attributes

Follow

Introduction

In IDHub every entity requires a dynamic amount of attributes. The reason behind this is that we can use our Authorization Engine (and policy) based on attributes to influence given decisions.

These attributes are related to a user; these can be:

  • TrustBuilder repository attributes: The value is in the TrustBuilder repository
  • Virtual Attributes: The value is fetched from an external repository (for example a CRM Database) and can be used during administration and authentication.
  • Federated Attributes: Attributes are received during authentication from the Authentication Mechanism (Identity Provider) and are cached in the session for the duration of the session

Because it is a dynamic model we need to define the attributes that are available to use

Definition of User Attribute Fields

Field Name Description
Category This drop down list is populated based on the New Category that is created under the Manage Categories tab. A User need to select a Category from the list when creating a new User Attribute since the newly created attribute will have to fall under one of these Categories.
Name This is the unique name or identifier given to the Attribute, and there cannot be two same identifiers(name) for the same Category. An alert message will be triggered at the bottom of page if User uses an existing name for a new User Attribute and clicks on button Save Close
Display Name This is the name that displays on the User Attributes page
Description This is a general description of what the Attribute is about. It also displays on User Attribute page
Data Format This defines the data format being used for the Attribute. For more details see the section Data Formats below.

Data Formats

This section describes the possible data formats or types possible for user attributes.

Format Description
Text Accepts any value and converts it into strings.
Enumeration Selecting this format will display an additional panel where the limited list of values can be provieded. Accepts only these pre-defined values.
For example, with the configuration shown in the image below, the attribute will only accept the values Belgium, Netherlands or Luxembourg.

Email Accepts email values and keeps of their verification status. Once a value is entered in an attribute of Email type, its status is set to PENDING. This is indicated by a warning icon next to its name, as shown below.

The unverified value of the attribute is shown between the brackets as well.

Then, a verification email (personalized via templates) is sent to the entered address with further instructions. Once the email has been successfully verified, its status is set to VERIFIED. This is indicated by a green check icon next to its name, as shown below.

Derived Derived attributes are linked to a workflow by a workflow ID property which is specified in the principal attribute definition screen. The value of the attribute is obtained by executing the specified workflow.
More information: (Derived Attributes)
Hash The value is hashed upon storage and is thus rendered unreadable.
SHA-256 and SHA-512 algorithms are available.
For every user a different (unique) salt hash is applied.
Searchable Hash The value is hashed upon storage and is thus rendered unreadable.  
SHA-256 and SHA-512 algorithms are available.
Uses the same salt hash for every user.  This makes it possible to search for hashed values.
SMS Attribute used specifically for SMS communication (eg. to send an OTP). 

Definitions of User Attribute Properties

Field Name Description
Single Value
There can only be one value for this Attribute type for any User, for example, Date of Birth.
Required
This item when checked imply that the field in question is mandatory (denoted with asterisks). This means the field always need to be filled in by the User, without which an alert message will be triggered during the creation and saving of a new User
Read Only This Attribute cannot be updated by the Administrator nor the User from the Self Service Portal, it can however be updated by the Administrator from the Admin Portal.
Hidden When checked, this attribute and value will not be visible in Self-service.
Override This is the Attribute value in the repository (if there is a value) it takes precedence over a value returning from an IDP for that attribute
System System Attribute is needed for the proper functioning of the Application. This Attribute is configured during the first time installation of the Application. The Administrator cannot delete this Attribute.
Primary This is a unique check that can only apply to one "Data Type" for a particular Attribute. For instance, there cannot be two Attributes of Data Type Email, with both having Primary checked. There will be an error message when user attempts to do this.

Scopes

Scopes are used in a context of OpenIDConnect Authentication protocols. Since a scope determines which attributes are being requested by an SP from an IDP (or supplied by an IDP), this is where it can be configured which scope(s) this attribute belongs to.  

An attribute can belong to none, one or multiple scopes.

  • Available scopes: Scopes (type: OpenID) to which this attribute is not added
  • Assigned scopes: Scopes (type: OpenID) to which this attribute is added

Simple click blue arrows to add or remove an attribute from a scope.

Categories

Create new or remove existing attribute categories.

Categories are only used to structure/group attributes. Their definition has no other impact.

It is not possible to remove a category when it still contains attributes.

Creating a User Attribute

This operation creates a new User Attribute. Given the dynamic nature of the IDHUB Application, the Administrator can create Attributes peculiar to the Organisation, other than having a limited or fixed Attributes in-built in the Application

  • Click User Attributes under Configuration
  • Click Create under Actions
  • Fill in all mandatory data and click Save  Close

Note: Pane Manage Categories is only meant for the creation of a new Category, and nothing needs to be entered for these fields when creating a new User Attribute

Possible Alerts that can be encountered during this operation

The User will be informed via an alert message at the bottom of the page that Duplicate User Attribute Type when he saves an Attribute with a duplicate name for the Name field.

Clicking on button Save  Close without filling in data for some, or all of the mandatory field(s), will trigger an alert message underneath these field(s), indicating that these are required field(s) that need to be filled-in

If User uses any character which does not fall within the given range of characters for the Name field and clicks on Save  Close, then an alert message will show underneath this field saying Invalid Value(s)

  1. First Rule - The starting/first character for the Name field should fall within these set of characters (a-z A-Z _ )
  2. Second Rule - The second and any subsequent characters for the Name field should fall within these set of characters (0-9 a-z A-Z)

Notice that System check box is inactive (greyed out) given that this Attribute is configured during first time installation of Application and as such cannot be checked during normal attribute creation

Editing User Attributes

This operation allows the Administrator to Edit an existing attribute

  • Click User Attributes under Configuration
  • Click on the Edit icon adjacent to the User Attribute you want to edit
  • Do all the necessary changes and click on button Save  Close

Possible Alerts that can be encountered during this operation

User will be informed via an alert message that This operation is not allowed if User attempts to edit any System based Attribute

Deleting User Attributes

This operation allows the Administrator to delete any existing User Attribute except a Systems Attribute

  • Check that the User Attribute does not have any User(s) value linked to it, if it does then first delete all User(s) value linked to it
  • Click User Attribute
  • Click the Delete icon adjacent to the Attribute you want to delete
  • Click Delete Attribute on the pop up window that is displayed

Possible Alerts that can be encountered during this operation

System defined or configured User Attribute such as Email (this is configured during the first time installation of Application) cannot be deleted by the Administrator. There will be an Alert message showing at the bottom of page indicating that operation is not allowed when User attempts to delete this attribute.

User will be informed via an alert message that Cannot delete Attribute as it is still assigned to Users if User attempts to delete any Attribute that have Users assigned to it.

Have more questions? Submit a request

Comments