Global Attribute List
The Global Attribute List (GAL) defines LDAP attributes used in various places within the RapidIdentity UI and adds type constraints that affect the behavior of RapidIdentity when it interacts with the values of these attributes. This is where System Administrators can define and control the different attributes used by RapidIdentity.
To navigate to the Global Attribute List, first navigate to the Configuration menu.
Then click Metadirectory in the Systems menu.
The Metadirectory Menu displays the Global Attribute List, where administrators can view each of the existing attributes and their details. A table explaining each column is below.
Table 46. GAL ColumnsColumn Name
Description
(Checkbox)
Select this checkbox to select a specific GAL item. This will activate the Delete button (depending on how many are selected) in the Action Bar
Friendly Name
The display name of the attribute in RapidIdentity
LDAP Attribute
The LDAP Attribute name
Searchable
Whether this attribute may be included in various basic LDAP searches performed by RapidIdentity
Note
This will be disabled in Attribute Creation unless the particular LDAP attribute chosen is searchable.
Allow Multiples Values
Whether the attribute should be allowed to have multiple values
Note
LDAP attributes that are defined as single-valued in the directory schema should never be allowed to have multiple values.
LDAP attributes that are defined as multi-valued in the directory schema may be marked as single-valued in the GAL if RapidIdentity should treat it as single-valued
Type
Format of the attribute (e.g. email, dn, string, etc.)
Note
This will be disabled until an LDAP Attribute Name is chosen during Attribute Creation.
Details
Hover over the last column or select an attribute, and a Details button will appear. Click this button to access an Edit menu, where many of these settings can be adjusted manually as needed.
Note
This is the same menu that is presented when you click New Attribute, only in that case, all of the fields present as blank and need to be configured.
GAL Attribute Types
When setting up an Attribute in the Global Attribute List, you will need to define an Attribute Type. These provide a level of detail that associate attributes with various forms of validation and display formats. The Attribute Type selected needs to align with the associated directory attribute value.
Note
If a directory attribute is expecting a DN type, make sure you select the DN type for that attribute in the GAL to avoid having issues later on. The GAL does not value the types and requires awareness of the underlying directory schema configuration.
Boolean: The attribute can be set as TRUE, FALSE. Some cases allow NULL, which is equivalent to FALSE.
Date: Stores a Date value as a timestamp in ISO-8601 date string format (Example: 2020-10-31).
Date (Legacy): Stores a DateTime value as a timestamp in milliseconds, as recognized by various programming languages (Example: 1604352328032). (Not recommended - use DateTime or Date instead.)
Date Time: Stores a DateTime value as a timestamp in ISO-8601 date string format. This includes a Time component to add to the Date component (Example: 20201031152521Z)
DN: The full Distinguished Name. This aligns with directory attributes that expect to have a DN value stored. If you create a GAL item with this type and try to store a string instead of the DN for a user, you will get an LDAP error.
Note
This attribute has an additional, optional configuration: When you select a DN type, a new field appears in the configuration called Display Template. This allows administrators to formally define how this value is presented in the UI. These allow a DN (e.g., cn=4ed4f8cd-7dd6-4ae3-bde6-0c64a60a6a50,ou=Employees,ou=Workforce,ou=Internal,ou=Accounts,dc=meta) to be replaced with one or more values like first and last name (e.g., Display Template =%givenName% %sn% and transformed value John Smith). Display Template syntax will vary by directory type.
Email Address: An email address.
Note
Selecting this attribute type makes that attribute value clickable in the UI and enables the sendto: capability for launching an email client.
Image - Binary: Stores the actual image in the directory attribute in a binary format.
Image - URL: Stores the URL provided for the image in the attribute value.
Dynamic List: List populated via a Connect Action Set that allows for dynamic data. See Configuring a Dynamic List Attribute for more details.
List: Static list of key-value pairs that are defined when the GAL item is created.
String: Any characters needed to satisfy the requirement.
Note
This attribute type uses a text field and may constrains the displayed value based on the LDAP directory's configuration of the specific associated LDAP attribute. This is not recommended for attributes with long descriptions.
Multi-Line String: Multiple lines of string types are allowed in this attribute.
Note
This attribute type provides a better display handling of attributes with lots of text, as it does not constrain displayed values like the String type does. It also enables word wrap in a text area when editing.
Password: This value is stored encrypted in the directory.
Phone Number: This value represents a phone number and formats accordingly, i.e., (XXX) YYY-ZZZZ.
Null: Represents a null value.
Note
This attribute type is used in areas where a GAL item must be selected but has no value.
Configuring a Dynamic List Attribute
A dynamic list attribute allows an administrator to pass a RapidIdentity Connect Action Set result into an attribute. The result of this Action Set populates a drop-down list to enable a delegate to select from a list of attribute values.
To pass the Action Set result into a defined attribute, the Action Set must act as a programming function.
The RapidIdentity Connect Action Set result must produce a JSON string containing two fields:
success (boolean)
listItems (array)
First, create and save the Action Set in the RapidIdentity Connect instance listed in the RapidIdentity Appliance Core Configuration Integration tab.
response = createRecord(false)
addRecordFieldValue(response, "success", true, false)
listItems = createArray()
listItem = createRecord(false)
addRecordFieldValue(listItem, "displayName", "Item 1", false)
addRecordFieldValue(listItem, "value", "1", false)
appendArrayItem(listItems, listItem)
listItem = createRecord(false)
addRecordFieldValue(listItem, "displayName", "Item 2", false)
addRecordFieldValue(listItem, "value", "2", false)
appendArrayItem(listItems, listItem)
addRecordFieldValue(response, "listItems", listItems, false)
return JSON.stringify(response)
If this Action Set enables the log action and is subsequently run, the JSON response appears as follows.
Next, navigate to the RapidIdentity Configuration > LDAP > Global Attributes List module and click the plus icon to configure a new attribute in the Global Attribute List.
Select Dynamic List as the attribute Type.
The RapidIdentity Connect Action is required and is the Action Set described above, which in this case would be Dynamic List Attribute.
Action Set parameters (RapidIdentity Connect Action Set Input Properties) are not required to configure a Dynamic List attribute.
One use case in which parameters can be used in a dynamic list attribute is to allow users to select their primary Email address from all possible Email addresses associated with their user account in the user's RapidIdentity Portal My Profile delegation. This Action Set would need to connect to the system(s) associating the user with their possible Email addresses, which is likely to be a directory service or database. Subsequently, the Action Set would need to compile the Email addresses as listItems and return the JSON value.
The only two parameters that will work for this particular use case are shown below.
Parameter | Description |
|---|---|
target_id | The idautoID of the target of the operation |
perp_id | The idautoID of the perpetrator of the operation (who's performing the operation) |