Brief about extended identity attributes in IIQ

Hi All,

I would like to give some idea about identity extended schema attributes:

By default, when we install SailPoint, we will get 6 attributes that are searchable and indexed. Because those will be stored in a separate column of the spt_identity table. Bsides this, by default SailPoint will give and we will map 10 extended attributes. Which means we can create 10 extended searchable attributes, which will be stored in extended1, extended2, extended3,… extended10 in the sequence (make sure those are searchable, so that it will store in separate columns to index). If those attributes, whatever you are going to create, are not searchable, then those will be stored in the attributes column as CLOB (Charector lorge object).

If you want to create more than 10 attributes untill 20, we can add by using and , etc. in the identity extended hbm file. Make sure those types are strings only.

If you want to create more than 20 attributes also, we can do with the . But be careful while adding because if you added these entries without completing the first 10 extended attributes (columns will be created but data won’t add to those columns. Data will be stored in sequence extended attributes), then it will store under extended1 or extended2, etc. according to whatever is available in the sequence. So, it is good practice and recommend that use ExtendedPropertyAccessor entered after the first 10 extended schema attributes are completed only.

You can add how many attributes you want. There is no limit. But it has a negative impact on the performance when we have more searchable attributes. So, use them wisely for whatever is required. Don’t use searchable for all until it is required.

Note : When you select Group Factory, IdentityIQ automatically selects Searchable in identity mapping. Multivalued attributes are automatically searchable. So, when you select both Group Factory and
Multi-valued, when you save, IdentityIQ unchecks the searchable box for you.

Note : Certain fields are marked as “Searchable” and/or “Group Factory”. A field should be
marked as searchable if you will need to use it for account correlation (like Employee ID) or
for Analytics (Location, Region). Group Factory identifies those fields from which groups of
users may be created (for example, a group of inactive users). You will use these later.

Hi @bhanuprakashkuruva , Thank you for this topic. What would be your recommendation if the attribute is to be used in role assignment rules - should it be searchable or ok to keep it as part of CLOB attributes. (we can’t promote the attribute value to identity cube its at authoritative source link level only because of the large data set.)

Thanks,

Pallavi

@bhanuprakashkuruva Can you explain lil more about Group Factory with real life scenario ex.
Thanks!

If you plan to configure Role assignment rules based on application attributes you may not need to make them searchable. The assignment rules are saved as Identity Selector which is a way to test an identity against a set of criteria. Its a matching process and not a searching process.

https://community.sailpoint.com/t5/IdentityIQ-Wiki/IdentitySelectors-in-the-IdentityIQ-user-interface/ta-p/79597

Thanks for sharing the detailed information