9.3 Configuring target attributes

Account attributes for newly created accounts are set by target attributes in ID-Synch.

ID-Synch ships with common actions that should be performed on all target attributes. The most common action is to copy the value of the attribute from the template account to the newly created account. You can override these actions by:

• Ignoring the attribute
• Copying the attribute and replacing the user ID
• Setting the attribute to a value determined by one of the request attributes
• Setting the attribute to specific values

For example, the acct_expires attribute on Windows NT targets is set so that accounts never expire. You can override that so that accounts created on this target are set to expire in a certain number of days.

You can override target attributes by group and individually, and by level. Levels are explained in HERE.

9.3.1 About override levels

There are 3 levels at which attribute default values can be overridden. Use the following override levels to modify attribute behavior:

template

modify the action performed on the attribute for a specific template.

For example, if you want to create some accounts that are initially disabled, you can create a template with an override at this level to set the newly created account to disabled as opposed to enabled (the default).

target

modify the action performed on the attribute for a specific target system.

For example, one of your Active Directory targets might have a different schema.

target type

modify the action performed on the attribute for all target systems of a given type

For example, set an attribute value for accounts all Active Directory targets.

The override levels are listed in order of hierarchy. For example, if you change the default action for a target type, and change the same action for a specific target, the target level override determines the attribute action when accounts are created on the specified target. All other target systems of that target type will use the target type override.

9.3.2 About the target attribute configuration page

You apply target attribute overrides from the Configure target attributes page in the Central console (nph-psa.exe).

Once you select the level (template, target, target type) at which to apply an override, ID-Synch displays a page consisting of 3 or more tables.

The first table lists attribute groups for which you can override common configured actions, as shown [below]Target attribute group configuration table:

Screen Sample 9.3- 1   : Target attribute group configuration table

The following explains the information listed by column in this example:

Attribute group

There are two groups:

Attributes configured to use default action

are included in the table of Shipped default attributes that are not yet overridden (see Screen sample:Target attributes configured to use default action). The default action for individual attributes can be overridden.

Attributes listed by the agent, but not configured explicitly

are account attributes that have not been included in ID-Synch's shipped defaults. This usually includes only new attributes that have been added to your schema. By default, these attributes will be copied as well. To override the default action being performed on these attributes, click Add at the bottom of the form to add a new target attribute.

This group of attributes are relevant only to targets that have modifiable schemas that can be queried by ID-Synch agents. These include LDAP and Active Directory.

Agent operation

The agent for this target performs the displayed operation (Create) based on a template, using the configured action.

Current configured level

This indicates the level (template, target, target type) in view, and whether it is set to the default action.

Action to perform

This indicates whether the default action will be to copy attribute values from the model account to the user's account, ignore them, or copy them but replace the user ID.

Override/Delete

Click Override to change the setting in the Action to perform column. Click Delete to remove the override for the attribute group and revert to the default action.

Below the attribute group table are 2-4 tables listing target attributes for which actions can be configured individually:

Screen Sample 9.3- 2   : Target attributes configured to use default action

Target attribute overrides are listed by level. In the table of Shipped default attributes that are not yet overridden, the default configured action is the action set in the attribute group table (see Screen sample:Target attribute group configuration table).

9.3.3 Overriding target attribute group default actions

To override target type default values:

1. From the Configure target attributes page, navigate to select the target type / target / template for which you want to configure actions.

2. In the attribute group table (see Screen sample:Target attribute group configuration table), click Override in the appropriate row.

3. Select the action to perform from the drop-down list:
   • Exact copy
   • Ignore
   • Copy, replacing ID
4. Click Update

   ID-Synch displays the updated setting. To remove the override, click Delete next to the setting.

9.3.4 Overriding configured actions for individual target attributes

To override target attribute configured actions:

1. From the Configure target attributes page, navigate to select the target type / target / template for which you want to configure actions.

2. In the attribute list tables (see Screen sample:Target attributes configured to use default action), click Select in the appropriate row.

   ID-Synch displays the Target attribute configuration page for the selected attribute, as shown in Screen sample:Overriding target attributes.

3. Click Override.

4. If required, change the:
   • Attribute name
   • Supported actions

     It is not possible to add support for actions. You can only deny actions that are supported by default.

   • Action to perform

     Select:

     • Exact copy to copy attribute values from the model account to the user's account
     • Ignore to ignore the attribute when setting up a new account.
     • Copy, replacing ID to copy attribute values but replace the user ID.
     • Set if you want to set the attribute to specific values or according to request attributes.

     • Default if you want the attribute to use the default action configured in the target attribute group table (see Screen sample:Target attribute group configuration table). You will not be able to select this if the default action is not supported for this attribute.
   • Sequence number

     Type a number to represent the relative order in which the attribute should be set. The attribute with the lowest number is set first. For example, if a room number depended on a building location, then the location attribute should have a lower number.

     If more than one attribute has the same sequence number, they are set in an arbitrary order relative to each other. Type 0 if the sequence is not important for this attribute.

     Type -1 if the attribute should be set upon creation. For example, LDAP targets require that objectclass is set upon creation. If a ``creation attribute'' fails, then the creation operation will also fail.

   • Group number

     Some targets allow ID-Synch to set a group of attributes together. Attributes with the same group number will be set at the same time.

     Type 0 if the attribute should be set alone.

     Note:

     Setting attributes as a group is faster than setting them alone. However, if one of the group members fails to be set (e.g. for a schema violation), then the whole group will fail. Target attributes with the same group number (other than 0) must have the same sequence number.

     
     

   • Minimum number of values

     Type 0 if the attribute is optional.

   • Maximum number of values

     Type -1 to allow an infinite number of values.

   • Attribute type

   • Encoding used to store value

5. If required for a target level attribute, enable the This attribute represents group on the target check box.

   Enable this if the attribute holds the account's group membership. When an account's group membership is updated through a request in ID-Synch, this attribute is updated.

   Only one attribute for a target can have this enabled.

6. If the Action to perform for the attribute is Set:
   • Type the ID of the Request attribute to use as value or click Search to select the request attribute that will determine its value.

     Or

   • Specify values in the Attribute value column. Proceed to HERE.

7. Click Update.

   To remove an override, click Delete.

8. Click Back to return to the Select a target attribute: $<$level$>$ page.

   The attribute now appears in one of the level overrides tables.

9.3.5 Adding configured actions for individual target attributes

You can add target attributes for systems, such as LDAP and Active Directory, that have modifiable schemas. Adding a target attribute allows you to override the default action.

To add a target attribute:

1. On the Configure target attributes page, click Add at the bottom of the form.

   ID-Synch displays the Target attribute configuration page for the selected attribute, as shown in Screen sample:Overriding target attributes.

2. Follow steps 4-8 in HERE

See also:
Target system parameters for information about mapping a request attribute to set the container DN for a target.

Screen Sample 9.3- 3   : Overriding target attributes

9.3.6 Specifying attribute values

The steps to specify attribute values for a set action vary according to the attribute type:

• Character and number
• Boolean
• Free form text

9.3.6.1 Character and number

You can have multiple values for character and number type target attributes, as determined by the configured minimum and maximum number of values. A sequence number determines the order in which the values are set. For example, if you have an attribute that maps to your primary and secondary DNS server, the value with the lowest number is set first. To specify a character or number value for a target attribute that has been set up according to HERE:

1. On the Target attribute configuration page, type a value in the field under the Attribute Value header.

2. Click Update.

   If more than one value is allowed by the Maximum number of values, ID-Synch adds more fields below the one you just entered. ID-Synch automatically sets the sequence number of the first attribute value to 0.

3. If applicable, add more values, and click Update.

   ID-Synch sequences the values in increments of 10, starting from 0.

   

4. To change the sequence of values, type sequence numbers in ascending order as shown in the following example. Click Update.
   

   ID-Synch adjusts the sequence order and numbers accordingly.

   

5. Click Back to return to the Select a target attribute: $<$level$>$ page.

   The attribute is displayed in one of the level overrides tables.

See also: Deleting specified attribute values

9.3.6.2 Boolean values

Only one value is allowed for boolean attributes -- True, False, or Unset. Use the Unset value if you want to specify that there is no default value.

To specify a boolean value for a target attribute that has been set up according to HERE:

1. On the Target attribute configuration page, click Update.

   ID-Synch changes the Attribute value section of the form to display a drop-down list.

   

2. Select True, False, or Unset from the drop-down list.

3. Click Update.

4. Click Back to return to the Select a target attribute: $<$level$>$ page.

   The attribute is displayed in one of the level overrides tables.

9.3.6.3 Free form text

Only one value is allowed for free form text attributes. To specify a free form text value for a target attribute that has been set up according to HERE:

1. On the Target attribute configuration page, click Update.

   ID-Synch changes the Attribute value section of the form to display a multi-line text box.

   

2. Type text for the value as required.

3. Click Update.

4. Click Back to return to the Select a target attribute: $<$level$>$ page.

   The attribute is displayed in one of the level overrides tables.

9.3.7 Deleting specified attribute values

To delete an attribute value that you have specified in the Target attribute configuration screen:

1. Enable the Delete value check box next to the values you want to delete.

2. Click Update.

Caution:

Clicking the Delete button will delete the override configuration for the attribute, not just the specified value