IDHUB User attributes


IDHUB User attributes

In IDHub every entity requires a dynamic amount of attributes. The reason behind this is that we can use our Authorization Engine (and policy) based on attributes to influence given decisions.

These attributes are related to a user; these can be:

  • TrustBuilder repository attributes: The value is in the TrustBuilder repository
  • Virtual Attributes: The value is fetched from an external repository (for example a CRM Database) and can be used during administration and authentication.
  • Federated Attributes: Attributes are received during authentication from the Authentication Mechanism (Identity Provider) and are cached in the session for the duration of the session

Because it is a dynamic model we need to define the attributes that are available to use

Definition of User Attribute Fields

Field Name Description
Category This drop down list is populated based on the New Category that is created under the Manage Categories tab. A User need to select a Category from the list when creating a new User Attribute since the newly created attribute will have to fall under one of these Categories.
Name This is the unique name or identifier given to the Attribute, and there cannot be two same identifiers(name) for the same Category. An alert message will be triggered at the bottom of page if User uses an existing name for a new User Attribute and clicks on button Save Close
Display Name This is the name that displays on the User Attributes page
Description This is a general description of what the Attribute is about. It also displays on User Attribute page
Data Format This defines the data format being used for the Attribute. For more details see the section Data Formats below.

Data Formats

This section describes the possible data formats or types possible for user attributes.


Accepts any value and converts it into strings.


Accepts only values pre-defined using the Enumeration values panel. For example, with the configuration shown in the image below, the attribute will only accept the values Belgium, Netherlands or Luxembourg.


Accepts email values and keeps of their verification status. Once a value is entered in an attribute of Email type, its status is set to PENDING. This is indicated by a warning icon next to its name, as shown below. The unverified value of the attribute is shown between the brackets as well.

Then, a verification email is sent to the entered address with further instructions. Once the email has been successfully verified, its status is set to VERIFIED. This is indicated by a green check icon next to its name, as shown below.


Derived attributes are linked to a workflow by a workflow ID property which is specified in the principal attribute definition screen. The value of the attribute is obtained by executing the specified workflow. The result of the workflow is expected in the following JavaScript structure:

<subtype_name>: {
	<attr_name>: ["value1", ... ,"value3"],
	<attr_name>: ["value1", ... ,"value3"]
<subtype_name>: {
	<attr_name>: ["value1", ... ,"value3"],
	<attr_name>: ["value1", ... ,"value3"]

Where the values assigned to each attr_name has to be an array (even if it only contains one value)

As an example, the following workflow script produces a value for the attribute Full Name by concatenating the First Name and Last Name attribute values of the principal.

function getFullNameValues(workItem){
	var fn = workItem.input.value.attributes.common.first_name[0];
	var ln = workItem.input.value.attributes.common.last_name[0];
	var full_name = fn + " " + ln;
	var full_name_str = JSON.stringify(full_name).replace(/\"/g, "");
    workItem.output = tb.simpleResponse({
		common: {
			full_name: [full_name_str]

The workflow function is given an object as parameter, called workItem in this example, that contains the principal object (accessed via workItem.input.value) and where the output of the workflow must also be stored, in workItem.output. As shown in the example above, the output object can be created using tb.simpleResponse and passing as parameter a JavaScript object with the correct structure.

Finally, since the returned values have to be in JSON format, the full_name property is converted into a JSON String by the JSON.stringify method and the backward slashes \ created by the conversion are removed.

Definitions of User Attribute Properties

Field Name Description
Read Only This Attribute cannot be updated by the Administrator nor the User from the Self Service Portal, it can however be updated by the Administrator from the Admin Portal.
Override This is the Attribute value in the repository (if there is a value) it takes precedence over a value returning from an IDP for that attribute
Required This item when checked imply that the field in question is mandatory (denoted with asterisks). This means the field always need to be filled in by the User, without which an alert message will be triggered during the creation and saving of a new User
Sigle Value There can only be one value for this Attribute type for any User, for example, Date of Birth.
System System Attribute is needed for the proper functioning of the Application. This Attribute is configured during the first time installation of the Application. The Administrator cannot delete this Attribute.
Primary This is a unique check that can only apply to one "Data Type" for a particular Attribute. For instance, there cannot be two Attributes of Data Type Email, with both having Primary checked. There will be an error message when user attempts to do this.

Creating a User Attribute

This operation creates a new User Attribute. Given the dynamic nature of the IDHUB Application, the Administrator can create Attributes peculiar to the Organisation, other than having a limited or fixed Attributes in-built in the Application

  • Click User Attributes under Configuration
  • Click Create under Actions
  • Fill in all mandatory data and click Save  Close

Note: Pane Manage Categories is only meant for the creation of a new Category, and nothing needs to be entered for these fields when creating a new User Attribute

Possible Alerts that can be encountered during this operation

The User will be informed via an alert message at the bottom of the page that Duplicate User Attribute Type when he saves an Attribute with a duplicate name for the Name field.

Clicking on button Save  Close without filling in data for some, or all of the mandatory field(s), will trigger an alert message underneath these field(s), indicating that these are required field(s) that need to be filled-in

If User uses any character which does not fall within the given range of characters for the Name field and clicks on Save  Close, then an alert message will show underneath this field saying Invalid Value(s)

  1. First Rule - The starting/first character for the Name field should fall within these set of characters (a-z A-Z _ )
  2. Second Rule - The second and any subsequent characters for the Name field should fall within these set of characters (0-9 a-z A-Z)

Notice that System check box is inactive (greyed out) given that this Attribute is configured during first time installation of Application and as such cannot be checked during normal attribute creation

Editing User Attributes

This operation allows the Administrator to Edit an existing attribute

  • Click User Attributes under Configuration
  • Click on the Edit icon adjacent to the User Attribute you want to edit
  • Do all the necessary changes and click on button Save  Close

Possible Alerts that can be encountered during this operation

User will be informed via an alert message that This operation is not allowed if User attempts to edit any System based Attribute

Deleting User Attributes

This operation allows the Administrator to delete any existing User Attribute except a Systems Attribute

  • Check that the User Attribute does not have any User(s) value linked to it, if it does then first delete all User(s) value linked to it
  • Click User Attribute
  • Click the Delete icon adjacent to the Attribute you want to delete
  • Click Delete Attribute on the pop up window that displays

Possible Alerts that can be encountered during this operation

System defined or configured User Attribute such as Email (this is configured during the first time installation of Application) cannot be deleted by the Administrator. There will be an Alert message showing at the bottom of page indicating that operation is not allowed when User attempts to delete this attribute.

User will be informed via an alert message that Cannot delete Attribute as it is still assigned to Users if User attempts to delete any Attribute that have Users assigned to it.

Have more questions? Submit a request