Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • where the value of an attribute is correct, but not presentable =
    • e.g. turn
    a memberOf value
    • a value of 'CN=Lixiang Yu, DN=Development Staff, DN=ad, DN=yourdomain, DN=net' into 'Staff'
  • where the value you need for an attribute is not available from your system, but you can infer it from other values that are -
    • e.g. you have attributes that identify the department and job role of a user, but need a value that tells you the country they're based in.

You set up attribute transform rules in a similar way to how you map permission sets:

...

If more than one set of conditions matches, then the attribute will have more than one value. All values are passed if that attribute is released, and all values are used by statistics if it is reportable. Unfortunately the interface cannot display muliti-valued attributes on accounts at the moment.

If a rule is using the 'any' condition, or conditions are based on multi-valued attributes (e.g. memberOf), then your rule could match on any of the multiple values that it sees. Care must be taken with negative matches such as 'does not contain' in these cases.

Examples

Example

Scenario:

An organisation has offices in 20 cities around the world. The directory they have connected to OpenAthens can pass the name of the office (e.g. Abuja office), but not the country. All users have access to the same set of resources and are not separated by sub-organistaion or permission set.

...

Next we add some transform rules along the lines of: When any of these match (office contains Edinburgh, office contains Bristol) the output value is 'UK'. 

Save Add conditions and repeat outputs for each country country, then click done and save.