Attributes
The global attribute list (GAL) is the complete set of attributes used throughout RapidIdentity Portal. Adding attributes results in visibility to assigned users throughout RapidIdentity Portal.
 |
To add a new GAL attribute, click the plus icon; to remove an existing attribute, click the minus icon. Existing attributes are editable by clicking the pencil icon.
 |
If the LDAP Attribute Name is unknown, click browse to scroll or search dynamically.
 |
One advantage of GAL attribute configuration is to provide functionality to end users beyond the original RapidIdentity configuration and implementation. For example, it is possible to add a GAL attribute to allow end users to configure their photo in the My Profiles tab within RapidIdentity Portal.
 |
While the LDAP photo attribute is allowed, the current RapidIdentity production version allows the LDAP attribute "co" to be used. This attribute is configured to support either a binary image or a URL to an image, the latter of which is editable in RapidIdentity Portal. After saving, administrators must add the Photo attribute by navigating to RapidIdentity Portal > Configuration > Profiles > Extended > Delegation Definition Manager.
 |
Next, click the Layout tab to check the User Profile Image Attribute and select the Photo attribute.
 |
Finally, click the Actions tab and enable the My Profile tab to allow editing. It is necessary to add the Photo attribute to each Profiles delegation to allow users to edit profiles photos in that delegation.
 |
Configuring a Dynamic List Attribute
A dynamic list attribute allows an administrator to pass a RapidIdentity Connect Action Set result into an attribute. The result of this Action Set populates a drop-down list to enable a delegate to select from a list of attribute values.
To pass the Action Set result into a defined attribute, the Action Set must act as a programming function.
The RapidIdentity Connect Action Set result must produce a JSON string containing two fields:
success (boolean)
listItems (array)
First, create and save the Action Set in the RapidIdentity Connect instance listed in the RapidIdentity Appliance Core Configuration Integration tab.
response = createRecord(false)
addRecordFieldValue(response, "success", true, false)
listItems = createArray()
listItem = createRecord(false)
addRecordFieldValue(listItem, "displayName", "Item 1", false)
addRecordFieldValue(listItem, "value", "1", false)
appendArrayItem(listItems, listItem)
listItem = createRecord(false)
addRecordFieldValue(listItem, "displayName", "Item 2", false)
addRecordFieldValue(listItem, "value", "2", false)
appendArrayItem(listItems, listItem)
addRecordFieldValue(response, "listItems", listItems, false)
return(JSON.stringify(response))
If this Action Set enables the log action and is subsequently run, the JSON response appears as follows.
 |
Next, navigate to the RapidIdentity Appliance Core Configuration Attributes tab and click the plus icon to configure a new attribute in the Global Attribute List.
Select Dynamic List as the attribute Type.
 |
The RapidIdentity Connect Action is required and is the Action Set described above, which in this case would be Dynamic List Attribute.
Action Set parameters (RapidIdentity Connect Action Set Input Properties) are not required to configure a Dynamic List attribute.
One use case in which parameters can be used in a dynamic list attribute is to allow users to select their primary Email address from all possible Email addresses associated with their user account in the user's RapidIdentity Portal My Profile delegation. This Action Set would need to connect to the system(s) associating the user with their possible Email addresses, which is likely to be a directory service or database. Subsequently, the Action Set would need to compile the Email addresses as listItems and return the JSON value.
The only two parameters that will work for this particular use case are shown below.
Parameter | Description |
|---|---|
target_id | The idautoID of the target of the operation |
perp_id | The idautoID of the perpetrator of the operation (who's performing the operation) |
Configuring a Global Attribute LDAP Filter
Attributes listed in the GAL can serve as global LDAP filters. Global filters can be used to support multi-tenancy. For example, a global filter can be used to restrict RapidIdentity Portal module visibility to users matching specific values, such as a particular district code and having a RapidIdentity Portal module administrator role. Users that do not match this global filter would subsequently not be able to see this module when logging into RapidIdentity Portal. Currently, only the RapidIdentity Portal Sponsorship module supports a global attribute LDAP filter implementation.
The default setting is that none of the listed GAL attributes are global filters and that newly added GAL attributes are not global filters. To enable a current GAL attribute to be a global filter or a newly added GAL attribute to be a global filter, check the Global Filter check box and then click Save.
 |
The GAL updates to show the attribute as a global filter.
 |