IBM Verify

 View Only

IBM Security Verify attribute transformation capabilities in provisioning.

By ABHIJIT DUSANE posted Wed December 20, 2023 11:54 AM

  

IBM Security™ Verify (ISV) is a single identity-as-a-service (IDaaS) solution that delivers both workforce modernization and consumer digital transformation. With the ability to connect to various SaaS applications, ISV can manage the provisioning or deprovisioning of user accounts at multiple target SaaS applications.
The article focuses on showcasing the various attribute transformation capabilities available in IBM Security™ Verify (ISV) and how they can be used during the provisioning operations, including addition and modification. The user is assumed to be aware of the application configuration settings and established a test connection with the target application.

Provisioning in IBM Security™ Verify (ISV)

Provisioning allows you to create and modify users from ISV to the configured targets. Account provisioning is typically done in cases where a new employee is hired in the organization or the employee changed job title, department, or contact information. A user must have an account in the target application to access its resources.

Provisioning entails the following.

  • The user accounts can be created in the target application based on the information that is derived from the Verify's user profile and group assignment.
  •  The user accounts’ attributes are updated when the Verify's user profile is updated. For example, the mobile number attribute is non-mandatory when you create a user in Verify. If you add a mobile number to a user profile, the information can be passed to the target application, when needed
  • The user can map existing ISV attributes with the target attributes and add new attribute mappings. With scripting support, an administrator can choose to transform the cloud directory's attribute value and set it to a target attribute, as intended for the target application.
  • Certain attributes can be derived by combining existing attributes and the same can be propagated to the target. For example, deriving a display name of a user by using the first name and family name attributes.
  •  Sometimes during provisioning, certain modifications maybe carried out in the Verify's user attributes before they are seeded in the target.

Attribute Mapping

Attribute Mapping allows the IBM Security Verify attribute to map to the corresponding target attribute. The Attribute Mapping section is available in the Account lifecycle tab of the application configuration. Consider the following snapshot of a typical Attribute Mapping section.

Typical Attribute Mapping section seen in the Account Lifecycel tab.

A target attribute value needs to be assigned to each of the Verify's attribute. The mapping can be changed by selecting an appropriate value from the drop-down list. IBM Security™ Verify (ISV) enables creating custom attributes. Read further to undertand the details for the following elements in the Attribute Mapping Section

  • Verify Attribute
  • Transformation
  • Target Attribute

Verify Attribute

Attributes that are associated with the user profile can be considered as Verify's attributes. The values for an existing user can be viewed from Directory --> Users and groups. Select or search the user and click the View full profile in slide out. The following image shows various user attribute values.

The image shows various user attribute values.
Built in Rules and Transformation
Transformation applies a transformation to the attribute before being passed on to the target account. For example, applying a 'Uppercase' transformation ensures that the attribute value is in uppercase on the target account. The following is a list of built-in transformations available in IBM Security™ Verify.
  •  Uppercase
  •  Lowercase
  •  Base64 Encode
  •  Base64 Decode
  •  Encode URI
  •  Encode URI Component
  •  Decode URI
  •  Decode URI Component
  •  Generate a UUID if no value is evaluated
  •  Current Time (seconds)
  •  Current Time (milliseconds)
  •  SHA 256 Hash
  •  SHA 512 Hash

Target Attribute

Target attributes imply the attributes for the target account that gets associated with the target application when the user is provisioned.

Read further to understand how the Built-in transformation Uppercase and Lowercase can be used.

Uppercase

For a Salesforce target, the following image is an example that shows the usage of the Uppercase built-in rule. In the attribute mapping, the transformation rule of Uppercase is applied for the 'Department' attribute.

Uppercase is applied for the ‘Department’ attribute.

The following image shows that after a user is provisioned or modified, the Department value in the Salesforce target gets updated in uppercase.

The image is an example that shows the usage of the Uppercase built-in rule applied to user on Salesforce target

Lowercase

Similarly, the Lowercase inbuilt transformation can be used to provision the value in lower case for the selected attribute.

The Lowercase inbuilt transformation.

The following image shows that after a user is provisioned or modified, the Department value in the Salesforce target gets updated in lowercase.

The image shows attribute on Salesforce target is be updated in lowercase.

Transformation using Custom Attributes and Custom Rules

IBM Security™ Verify provides capabilities to create custom attributes and use custom rules. Read further to see how to use the capability to define custom attributes and add custom rules for these attributes. A rule can be created in two ways.

  • Attribute that has a rule. (Custom Attributes)
  • Direct Custom rule

Attribute that has a rule. (Custom Attributes)

Custom attributes can be created and used in the Attribute mapping section. Custom Attributes allow a custom rule to be associated with the custom attribute. The rules in turn can be used for adding a custom script to transform the attribute.

Rules allow the user to use functions to reference, transform, and combine attribute values before they are passed for provisioning accounts. Functions can access the user object (in SCIM form) that is stored in Cloud Directory and any external API endpoint. the formalDisplayName attribute can be created as a fixed value attribute and a function can be specified that concatenates the user.name.givenName and user.name.familyName in a specified manner.

Note: The function syntax is C- and JavaScript-like. However, it is based on a single-line expression language, Google Common Expression Language.

To configure advanced rule attributes, in the Admin console go to Directory  --> Attributes. Then map these attributes in the application configuration like mapping all other attribute types.

Attribute Defenition type and availability

You can specify the name of the attribute as follows:
Attribute Definition Name and availability
You can specify the rules as follows
Attribute definition source and rule.

When you specify rule in rule section you can test it with CD user on same page, by searching and selecting the user in the Find User search box.  The selected user object will be shown in the section below the Find User search box.  The rule can be executed by clicking on the ‘Run Test’ button and the result can be seen in the Result section.

Runtest

The image below shows the listing of Custom attribute, that was created in the earlier step.

Custom Attribute
This new custom attribute can now be used in the Attribute Mapping section in the Account Lifecycle Panel. See the following image. 
Custom Attribute usage in Account lifecycle panel
Read further to see how to create a Direct Custom Rule and use it in the attribute mapping section.
Direct Custom Rule
The Direct Custom Rule approach allows the user to configure a rule and corresponding script directly in the Account Lifecyle panel, without having to create a new Custom Attribute. If certain transformation or rules don't need to be shared across multiple applications, this approach can be useful.
  • In the Account lifecycle tab, scroll to the  Attribute mapping section.
  • Expand the Add attribute menu and select Add custom rule
  • Select Add attribute and then select Custom rule  from the Verify attribute menu.
  • The code editor opens. (See the following image)
  • Make sure that the rule works by clicking the Show and clicking the Run test button. Verify that a correct value is returned in the Results section
Create target attriute transformation

     

  • From the Target attribute menu, select the attribute
  • The following image shows a Direct custom Rule being used in the Attribute Mapping.
Custom Rule

In the above configuration the Custom rule is mapped to the ‘name’ attribute on the target. Each time the user is created or modified the custom rule will be applied and the value on the target is updated based on the Custom rule.

Authors

Pratiksha Sonawadekar, IBM Security Verify team.
Abhijit Dusane, IBM Security Verify team.
0 comments
20 views

Permalink