Defining profile and request attributes
Parameters for profile and request attributes vary depending on the attribute’s type, as listed in the table below:
Setting | Type | Description |
|---|---|---|
Display type | Boolean, Date/time, String | Determine how users select or enter values. For boolean attributes the options are "Drop-down", "Checkbox", or "Radio buttons". For date/time attributes the options are "Date/time" or "Date only (calendar)" where the date is selected with a popup calendar, or "Date only (YYYY-MM-DD)" where the date is selected with a drop-down menu. For string attributes with restricted values it becomes available only if the attribute allows multiple values and the options are "Drop-down" or "Drop-down with two-columns" to allow user to select values from either a drop-down list or a two-columns window.. |
Validate user | User | Determine whether the profile ID entered for a user-type attribute is a valid or invalid user.. |
Display as an image | Link, File | Display the link or file as an image with a size of 100 x 100 pixels |
Validate attribute value | Link | Checks whether the specified link is valid before accepting the value.. |
Minimum required number of values | All | A number greater than 0 means the attribute is required. |
Maximum allowed number of values | All except Boolean, Memo, Password, and Date/time | A number greater than 1 means that multiple values are allowed. |
Maximum field length | String, Integer, Password | Maximum length allowed for each value. |
Allow duplicate values | String, Integer, User | Determine whether the values for a multi-valued attribute must be unique. This does not apply to single-valued attributes. |
Sent in emails | All except Password and File | Profile and request attributes can be included or excluded from the information sent in email notifications. |
Allow for profile comparison | All except Password and File | Profile and request attributes can be included or excluded from the Profile comparison page. These attributes cannot be encrypted in the database. |
Allow for authentication chains | String, Integer, Password, Date/time | Profile and request attributes can be used in authentication chain configuration. This is enabled for the EMAIL attribute by default. It is currently used only for the Email/SMS PIN authentication module. |
Only use for requests (do not apply to a user profile) | All | Determine whether the attribute’s values are only used in the context of a request, and are not saved with the user’s profile. For example, the built-in VIEWABLE BY RECIPIENT is used to determine whether a request is hidden from the recipient. |
Editable only on request creation | All | Allow or disallow changes to the attribute value after request creation. |
Track changes | All except File | Changes to profile and request attribute values can be tracked. The tracked changes are viewable as part of each user’s profile history. You can also configure the |
Users must verify and confirm the value | String, Integer, Password (recommended) | Require users to re-type the value in a second text box. For example, you might want to set this option for password-type attributes, where users can’t see what they are typing. |
Changes made will invalidate authorizations | All | If an authorizer changes an attribute value, any previous authorizations of a request are invalidated. Other authorizers are notified and need to re-authorize the request. This is useful where an attribute change can be a security issue; for example, if a security level attribute is set to a value of 2, and an authorizer changes the value to 1, the original request should be invalidated. |
Allow in advanced search criteria | All | Profile and request attributes can be included or excluded from the Advanced search. This does not affect the advanced search page for the main Profile and request attributes menu. |
Display in reports | All | Allow or disallow the attribute values to be displayed in reports. This is enabled by default. |
Map to vCard property | All | Map profile and request attributes to commonly used vCard properties |
Notes | All | Help information for the attribute. Once set, it will be available in wizards by hovering over the question mark icon. |
Description of input values | String, Memo, Integer, Password, File | This is displayed to users to show them how to enter values for the attribute. For example, type YYYY-MM-DD for a Date of birth field. |
Format requirement of input values | String, Password, File | For example, type NNNN-NN-NN to indicate a series of numbers. |
Regular expression used for validation of input values | String, Memo, Integer, Password | If you use a regular expression for validation the Description of input values is required. |
Restricted values are case-sensitive | String, Integer | The restricted values entered will maintain their case. Default behavior is to uppercase all Actual values entered. When configuring date/time attributes (PREFERRED_DATEFORMAT and PREFERRED_TIMEFORMAT), ensure that they are case-sensitive. |
Plugin used to generate a list of restricted values | String, Integer | You can use a plugin to supply one or more restricted values for an attribute. Leave this field blank to define restricted values manually.. |
Parent attribute | String, Integer | You can use a plugin to supply one or more restricted values for an attribute. Leave this field blank to define restricted values manually. |
Display text for positive value | Boolean | The default is True . |
Display text for negative value | Boolean | The default is False . |
Display text for no value | Boolean | The default is (None) . |
Default values | String, Integer, Boolean | Attributes can be set up with default values, so that unless a user intervenes and changes them, the default values are entered with a request then copied to the newly created account. If you define restricted values for the attribute, you can select them from a drop-down list for this option. |
Inherit validation enforcement from attribute group | All | Leave this enabled if you want the attribute to inherit validation enforcement rules from the attribute group to which it belongs.
|
Encrypt this attribute in the database | All except User, Managed system, Discovered system, Manageable account | Enable this to encrypt attribute values in the database. If encrypted, the attribute cannot be used in advanced search criteria, mapped to an account attribute, or used in profile comparisons. Encrypted attribute values are masked in reports. Certification reviewers must have appropriate permission to view encrypted attribute vaules; otherwise they are masked. |
The Description, Description of input values, Format requirement of input values, and Regular expression used to validate input values fields can accept custom text macros. If a custom macro has been configured for the Description, Description of input values and/or Format requirement of input values fields, a second text field will appear on this page detailing the value that will be displayed to the user.
Boolean values
Boolean attributes require users to select a true or false value. The default choices displayed to end users are True or False , or (None) if the attribute is optional.
To specify other values:
On the Profile and request attribute information page, type a text string for:
Display text for positive value
Display text for negative value
Display text for no value
Set the Default values.
Click Update.
When you click Update, the default values text will change to reflect the values you specified.
See also
See Entering multi-language descriptions for information about using multi-language display text.
Number of values required or allowed
The number of values required or allowed is set by the Minimum required number of values and Maximum allowed number of values on the page.
If the attribute is required for a request to be complete, type a number greater than 0 in the Minimum required number of values field.
If more than one value can be entered, type a number greater than 1 to set a Maximum allowed number of values, or type -1 to allow an infinite number of values.
This number can only be set to a positive number or -1. A value of 0 is invalid.
This means that when users update attributes, they will be presented with a More button that displays additional fields for this attribute.
Only string and integer attribute types can have more than 1 value. The boolean, date/time, memo, and password attribute types can only have one value.
A value for a required attribute can be provided at any stage of the request process. That is, an authorizer with assigned rights can enter information, such as salary or Social Security Number, to which the requester does not have access. Configure access controls to determine which users can view or edit certain attributes.
If requesters do not have write permissions to a required attribute, then authorizers must enter a value for the attribute. If not, the request will be automatically denied.
If an attribute not enabled for comparison requires a value, then the requester is brought to the recipient’s Profile information page. There, the requester can enter the required value.
Maximum length
You can restrict the maximum length of a profile and request attribute value by using the Maximum field length setting on the page.
For multiple … | Maximum length refers to … |
|---|---|
Restricted values | Maximum length allowed for each value |
Unrestricted values | Total number of characters allowed in the text field for the attribute |
vCard properties
When at least one profile and request attribute is mapped to a vCard property, users can view profile information as a vCard contact record.
Bravura Security Fabric includes links on profile information pages to Download profile as vCard, and Scan profile as QR Code.
Below is an example of a vCard contact record, saved as a .vcf file:
BEGIN:VCARD VERSION:3.0 FN:John Doe EMAIL:doejo@example.net ADR:;;1401 1st Street SE;Calgary;AB;T2G 2J3;Canada BDAY:1987-07-23 06:00:00 TEL;TYPE=CELL:403-555-4535 ORG:Bravura Security TEL;TYPE=FAX:403-555-2545 FN:John Doe N:Doe;John NICKNAME:Johnny NOTE:Contractor until 2015-12-31 TEL;TYPE=HOME:403-555-6543 TITLE:Developer URL:http://www.bravurasecurity.com TEL;TYPE=WORK:403-555-6541 END:VCARD
Below is an example of profile as QR Code:
Users can also add contact records directly into the native contacts lists for both Android and iOS mobile devices from the Download profile as vCard link when accessed from the Bravura One app.
From the Bravura One app, navigate to the Profile information and entitlements page for a user and then click Download profile as vCard. The contact record will be added to the native contacts lists for the Android or iOS mobile device.
See also
See Mobile Access for more information about Bravura One and the Bravura One app.
Restricted values
You can supply one or more restricted values for an integer or string type attribute.
When multiple restricted values are supplied for an attribute, users select one or more of the values from a list when they make a request.
You can configure the values:
Defining restricted values manually
To manually define restricted values:
Add the attribute using the n page. It is not necessary to give a value for Plugin used to generate a list of restricted values.
The Restricted values tab appears once the attribute has been created.
In the Restricted values tab, type the Actual value, to be recorded in the database and potentially be written out to target systems, and Displayed value, to be shown to users. The actual value will be stored uppercase unless the Restricted values are case-sensitive option is selected.
To add additional values, click More or Update to add rows.
Click Update when you have added all values.
To delete a restricted value, select the check box next to the value then click Update.
You can sort values alphabetically according to actual value or displayed value.
Caution
If actual values contain the sequence !!!, Bravura Security Fabric will treat them as macros and expand them according to the skin being used. The actual values applied in this case will be different from what is defined in the attribute configuration. This will lead to the values being rejected, due to restricted list mismatch. The !!! sequence must therefore be avoided in actual values. If localization is required, specify the macro tag in the displayed value instead.
Click below to view a demonstration of manually adding static restricted values (such as Employee, Contractor and Student) to an EMPLOYEE-TYPE profile and request attribute, allowing users to select a value from a drop-down list rather than typing a value when filling out a request form.
Loading restricted values from an external source
Values can be extracted from an external source and loaded into Bravura Security Fabric . The attrfixedval program is used to load or update values that are static; that is, do not change during the course of a request. attrfixedval also allows you to manipulate the display values which correspond to the static restricted values.
Updating the list of restricted values for an attribute using batch loading can be useful where the values can vary over time; for example, seasonal employment, or academic schedules.
See attrfixedval usage .
Defining dynamic restricted values using a plugin
Where attribute values are dynamic - they can vary as a user proceeds through the request workflow - you can use a plugin to supply the values. Values may depend on the user or other attributes, and can be extracted from an external database. The plugin runs on each page as a user proceeds through a request.
The configured plugin must return the list of actual values. If the display value is set for an actual value, then the Requests app uses the display value rather than the actual value. The display value used must be set statically; it cannot be returned from the plugin. Display values are set using the procedure for manually or automatically defining restricted values.
If a plugin is used to supply restricted values, those values which are statically defined (in the Manage the system (PSA) module or by using attrfixedval) are only displayed if their actual value is returned by the plugin.
To enable this feature, type the name of the plugin in the Plugin used to generate a list of restricted values field on the Profile and request information page.
There are no shipped plugins in use with this plugin point. Sample plugin scripts are located in the samples\ directory:
restricted-value-plugin.pslfor attributes with no parentrestricted-value-hierattrs-plugin.pslfor attributes with a parent attribute
Requirements
The plugin only sets actual values. If a display value has been set for any of the restricted values, then that value is displayed in place of the actual value. Display values must be set via the Manage the system (PSA) module prior to the execution of the plugin. See Writing plugins for general requirements.
Execution points
The plugin is run by the View and update profile (IDR) module and Requests app whenever attributes are edited.
The plugin runs when a user clicks:
Clicks a menu option to create a new user profile or access an existing user profile.
Accesses an attribute group on a subsidiary page
Clicks Update after editing attributes on a subsidiary page
Clicks Continue on a profile information page.
When requesters define or update a value for another attribute, the plugin runs again. This means that if an attribute with dynamic restricted values depends on the value of another attribute, all values remain valid.
The plugin also runs when a request is submitted to Workflow Manager Service. If the attribute value does not match one of the values returned by the plugin, then request will be denied.
Input
Input passed to the plugin is as follows:
"" "" = {
"attribute" = "<attribute id>"
# The ID of the attribute for which the plugin is being run.
"module" = "<idp|ids|idr|idwfm>"
# Where the plugin is being run from.
"userid" = "<profile ID>"
# The profile ID (if known) of the recipient.
# This is empty if a profile ID generator is used.
"requestID" = "<request ID>"
# The request ID for the associated request.
"sessionid" = "<session ID>" # session ID for the viewer
"operation" = "<operation type>"
# The possible operation that can be requested; 0 or more
# See Operation codes for a list of codes.
"parent" = "<parent attribute>"
#ID of the parent attribute, if set
"username" = "<full name>"
# The full name (if known) of the user for whom the plugin
# is being run. Omitted if the userid is empty.
"recipient" "<user>" = { ... }
# Recipient of the request. The KVGroup name is not present if the request is for a new user.
"request" "" = { ... }
# Request details.
"requester" "user" = { ... }
# Requester's data.
"viewer" "user" = { ... }
# The viewer's data.
"model" "user" = { ... }
# Data of the model user used in profile comparison.
} For example:
"" "" = {
"attribute" = "STATE"
"module" = "idr"
"operation" = "GRUA"
"parent" = "COUNTY"
"requestID" = "536C788C1D12B58CADCDCCE4FD0E3D62"
"sessionid" = "Scced6c11-2387-4e0d-a09a-d42ed23360cc"
"viewer" "user" = {
"id" = "crysta.soria"
"name" = "Crysta Soria"
}
} Output
Output passed from the plugin is as follows:
"" "" = {
"errmsg" = "<return message>" # Error messaged by the plugin
"retval" = "0" # Mandatory; zero is success and non-zero is failure
"restrictedvalue" = "<value>" # 1 or more; each value represents a
# selection for the user.
} If the attribute has a parent attribute, then additional KVGroups can be returned in the format:
"parent" "<parent value>" {
"restrictedvalue" = "<value>" # 1 or more
} The following is an example of output that should be returned, where there is no parent attribute:
"" "" = {
"errmsg" = "success"
"restrictedvalue" = "Alberta"
"restrictedvalue" = "Quebec"
"restrictedvalue" = "New York"
"restrictedvalue" = "California"
"retval" = "0"
} The following is an example of output that should be returned, where a parent attribute has been set:
"" "" = {
"restrictedvalue" = "Other"
"parent" = "US" = {
"restrictedvalue" = "NY"
"restrictedvalue" = "WA"
"restrictedvalue" = "TX"
"restrictedvalue" = "CA"
"parent" = "CA" = {
"restrictedvalue" = "AB"
"restrictedvalue" = "QC"
"errmsg" = "success"
"retval" = "0"
} If the parent’s value is empty, then any "restrictedvalue" KVPairs not inside a "parent" KVGroup ("Other" in the above example) would fall under the empty parent value. The plugin can also specify an explicit "parent" "" KVGroup for this case. If the parent value is not optional, then any dangling "restrictedvalue" KVPairs are ignored.
Parent values
Attributes can be inter-related in a hierarchical relationship. Common use cases include geographical locations (for example, country > state/province > city > office location) or organizational hierarchy (for example, company > department > division).
From an end-user’s perspective, this means the value they select for a parent attribute will determine the values that are available for a child attribute .
Both parent and child attributes must have restricted values. To set up a hierarchical relationship between attributes:
Create an attribute, for example COUNTRY, that will be the parent attribute.
Define the parent attribute with restricted values.
Create an attribute, for example STATE , that will be the child attribute.
You must click Add to create the child attribute before the next step
Enter the ID of the parent in the Parent attribute field of the child attribute.
Click Update. If the parent ID is valid, its values are added as settings for restricted and default values.
Click the Restricted values tab.
Select a Parent value, then enter Actual value and Displayed value.
The actual value will be stored uppercase unless the Restricted values are case-sensitive option is selected.
To add additional values, click More or Update to add rows.
Click Update when you have added all values.
To delete a restricted value, select the check box next to the value then click Update.
You can sort values alphabetically according to actual value or displayed value.
After you have entered restricted values for a child attribute, you can set default values.
Caution
If actual values contain the sequence !!!, Bravura Security Fabric will treat them as macros and expand them according to the skin being used. The actual values applied in this case will be different from what is defined in the attribute configuration. This will lead to the values being rejected, due to restricted list mismatch. The !!! sequence must therefore be avoided in actual values. If localization is required, specify the macro tag in the displayed value instead.
It is possible for parent and child attributes to be in separate attribute groups. For example, you could set up a pre-defined request to add a New York employee. In this case the country and state would be auto-populated and hidden from the requester, who only needs to specify a city. The city attribute would be in a different group to the country and state attributes.
Default values
Attributes can be set up with default values, so that unless a user intervenes and changes them, the default values are entered with a request. This is the case for both required and optional attributes.
Default values are always used for request-only attributes, or for profile attributes during requests for new profiles. They are not applied to profile attributes of existing users.
Caution
Default attribute values are automatically saved with a request if the attribute is not part of an editable attribute group.
On the page, define Default values by typing them in the text box (unrestricted values) or selecting from the list of values (restricted or boolean values).
If the attribute has a parent attribute, you can set default values based on each parent value. The parent’s restricted values must be defined first.
Testing the validity of attribute values
To test an attribute value’s validity, click the Test tab on the page. Enter an attribute value to validate, then click the Test button.
The value entered is validated against the Format requirement of input values setting, the Regular expression used for validation of input values setting, the Plugin used to generate a list of restricted values, and any manually entered restricted values.
Click below to view a demonstration of defining and testing a validation rule using a format requirement of input values for an EMPLOYEE-NUMBER profile and request attribute that is mapped to the Active Directory employeeNumber account attribute.