- UNIFYBroker Forum
-
Questions
0
Answered
Identity Broker Group membership relational tranformation with multi value attribute
I would like to use Identity Broker Group membership relational tranformation to construct the group membership.
What I would like to know is can we use string based multi-value attribute (value separated by comma) for the InputKey(info) and RelationKey (groupmember) to determine the matching such that one Group can have multiple criteria for determining which users can be it member.
Sample IdB Adapter configuration
<!-- generating the multi-value Members attribute -->
<adapter name="Relation.Group"
InputKey="info"
RelationshipConnectorId="{cf81fc63-2206-413a-a102-804d399526de}"
RelationKey="groupmember"
RelationReference="employeeId"
GroupTarget="Members" >
<dn>
<dnComponent name="Field" key="employeeId" attributeType="UID" />
</dn>
</adapter>
Example - The Security Group's info attribute in AD and Metaverse is a multi-value attribute. The user's groupmember attribute is a multi-value attribute (could be a string base comma separated values).
- A Security Group (A) info attribute has these values: "Sales" and "Marketing".
- Another Security Group (B) info attribute has these values: "General".
- A user's (C) groupmember attribute has these values: "General" and "Sales".
- Another user's (D) groupmember attribute has these values: "General" and "Marketing".
- We want to user (C) and (D) to be a member of Security Group (A) and Security Group (B) based on the above information.
Can this be achieved?
Customer support service by UserEcho
The information available on [IDB306:Group+membership relational transformation] does not this is possible or not.
A multi-value string is not a comma-separated string. Please see [IDB306:Connector].
Have you also looked through the extended transformations? For example [IDBXT306:Membership list multi-value transformation].
Hi Adam,
Thank you for pointing me to the right source of information.
Perhaps it's just me but I seem to have difficulty digesting the information and readily able to consume it.
I am confused between the concept of Left Connector, Right Connector, Relationship Connector and which one is the Primary Key (RelationKey), Foreign Key (InputKey) belong to. In addition it would be good to have a sample configuration that reflects the sample diagram provided. For example, from the diagram my understanding is the Position connector is the Left Connector, the Placement connector is the Right Connector (although it is not quite on the right side of the diagram). The InputKey is the Position# attribute of the Position connector, the RelationKey is the PositionList attribute of the Placement connector and the RelationReference is the Employee# attribute of the Placement connector.
Thus the sample adapter configuration would look like this
<adapter name="Relation.Group.Multi" InputKey="Positions#" RelationshipConnectorId="{5A8BDEFD-7348-4f05-83AC-B9EE0082B2CD}" RelationKey="PositionList" RelationReference="Employee#" GroupTarget="members" > local="True" <dn> <dnComponent name="Field" key="Employee#" attributeType="UID" /> </dn> </adapter>I also believe it would help as very much to describe what we are achieving with the sample configuration.
Having said that based on this statement "The primary key exists on the left connector, the foreign key of multiple values on the right connector." in the [IDBXT306:Membership list multi-value transformation]
My understanding is that the PrimaryKey (InputKey) is a single-value attribute and the ForeignKey (RelationKey) is a multi-value attribute.
This mean that to construct a Group Member, the Group's attribute is a single-value attribute and the user attribute is a multi-value attribute.
Is my understanding of the document and functionality of the Relation.Group.Multi correct?
Also my understanding is that this requires the Identity Broker Transformations v3.0.6 to be installed. Is this correct?
Thank you in advance for your help.
Please help to clarify my understanding. Thank you.
The documentation describes the other columns as best as I could here. However, I do believe we could provide examples and a possible usage for the transformation, and this is something we will be looking at for Identity Broker v4.0.
I was merely referring you to that particular transformation because it was similar to the functionality you described, except not on a multi-value input key. Depending on what information you have available this may still be of use. I was questioning whether you had seen the extended transformations. I do not know how the solution is setup, I just want you to consider all of your options and get the best design.
Yes, the extended tranformations is a seperate install.
Hi Adam,
Thank you very much for your detailed response and time/help.
The word Left Connector and Right Connector is still being used in the [IDBXT306:Membership list multi-value transformation] page.
I believe I understand this much better now and I can see that this would be suitable for the RBAC group management as well, where a user may have one or more roles but the security group is specific to a role only, but not for multiple roles.
Perhaps I am doing a poor job at describing my question to start of with.
Again thank you for your patient and help.
Once you have read my response please resolve this issue and assign it back to me for closing.
Resolved and assigned to Shane.
Information to assist in answering the query is provided.