New Capability: Identity Management

Adding on to the multi-valued fields being separated by a comma: I have integer values coming through on accounts for IDs that represent the entitlements a user is assigned in a SaaS application. For example entitlements 1 and 3076 show as 1,376 in the new UI which could be confused as one thousand three hundred and seventy six as opposed to two separate values. And to be clear I am talking about the underlying attribute on the account which represents the entitlements, not the entitlements table at the bottom of the account view.

Thanks Kirby for the quick pivot on this. I just put something out there for tomorrow to review these enhancements.

I noticed this too. The Entitlements are being grouped under the “Attributes” column. Which is weird, but having them inline with commas really makes it complicated.

image1060×571 18.4 KB

I also grabbed a slot on @willcashman 's calendar for tomorrow, so I will talk more about this there.
Thanks @kirby_fitch !

Yes exactly my issue as well. Thanks for adding the screenshot.

Hi Kirby,

We’ll be bringing sorting to the Access tab

Um… what about the Accounts tab?
That’s where the “SourceName” and maybe “NativeIdentity” would be used heavily.
We have ~20+ sources just AD/AAD related - seeing them randomly listed makes it easy to misread which Accounts a user has.

Is it valuable to alphabetically sort the attributes?

Yes definitely - first click we do (at least on the Account details page, Identity details was always listed alphabetically).

Wouldn’t it be preferable to use endpoints rather than UIs for unit and integration testing?

Hmm? Not sure I understand …?

If there was a general Copy button that output all attributes and values into the clipboard.

That would be great!

Sorry about this. We’ve had the new Details UI available under Try New Experience since August 2023. The feedback we had received to this point has been positive.

I can see why it may be positive (overall)… ability to pin attributes etc.
But our (at least my ) biggest impact is ability to quickly determine an attribute’s value and compare it to another identity side by side (i.e. usually 2 windows, 2 identities).
Operations would do this quite often to determine why some users have correct access while other’s don’t - realise a flag, email, trigger value is missing on a particular identity, etc.
Having the attributes appear in different places (sometimes on the left, sometimes on the right).
(and yes, from memory I do recall providing feedback )

Thanks.

Thanks for pointing this out @patrickboston and for the screenshot @Bakhari. I agree that this comma separation is misleading. Sorry we overlooked the integer use case. The enhancement proposal @willcashman is previewing with administrators will address this. Take some time to meet with him if you have it!

Also, could I get some input on whether or not we should show the account attributes that are marked as entitlements? Does this help you understand how entitlements are being built?

Sorry, missed this one. We’ll be bringing new sorting functionality to the Accounts UI as well. Here are the new sorters we’re adding to the accounts endpoint at the current time.

These will be used for sorting in the Identity > Accounts UI:

• source.displayableName
• source.authoritative
• account.hasEntitlements

These will be used for sorting in the forthcoming Global Accounts UI:

• identity.identityState
• source.displayableName
• source.authoritative
• source.directConnection
• identity.uncorrelated
• account.hasEntitlements

What are all the ways it’d be helpful to sort identity and/or account attributes?

We understood these new UIs could break integration / unit testing. Are you exclusively manually testing with the UI? Otherwise, we think it’d be beneficial to test using endpoints. User interfaces change a lot more often than endpoints. We’d rather you depend on our endpoints rather than user interfaces for automated testing to avoid breakages.

Thanks for the support. We’ll take this under advisement.

Be sure to chat with @willcashman about this use case. We do recall hearing this more than once and thought that an identity comparison utility would be beneficial. This use case and tool were regarded as out of scope and we didn’t attempt to support them. Upon further reflection, we acknowledge there are some small things we could do to make that easier.

Yes, leave the entitlement attribute. Could be helpful for troubleshooting.

One other nice to have would be having the native identifier of the account at the top level attributes table in the individual account view. Right now it just has “Name” which seems to be tied to the account display name. Having proper labels for naive identifier vs display name are important as well as opposed to just “Name”.

Thanks, Patrick. Seems like a reasonable addition. I’ll talk to the team about this. We’ll try to add it between Name and Id.

• Should we also throw objectGuid up there?
• Anything that you see in the Account details top card that’s unimportant?
• Anything else that’s missing?

Hi @kirby_fitch ,

I observed that the new UI do not show “Remove Account” feature anymore when you want to manually un-correlate an account from identity. Is it intentional or a bug?

image1874×740 48.9 KB

Regards,
Uday Kilambi

Hi @uday_kilambiTMNL, see this earlier comment:

Good question. During some of my initial tests I noticed that Account Attributes marked as Entitlements were showing up, but the Entitlement Assignment list was empty.

image880×471 42.9 KB

I was able to quickly determine that the Account Attributes marked as Entitlements weren’t mapping to the actual Entitlements. With a little troubleshooting, I was able to easily fix it.

Without that, I would’ve been scratching my head for a while trying to figure out why they weren’t mapping/assigning. So that’s definitely a helpful piece we should keep.

@Bakhari I love this use case. Thanks for sharing it! We’ll keep these attributes available to help you with this!

objectGuid is specific to Active Directory and not the native identifier for Active Directory, so I wouldn’t find that too valuable.

No comments on the other two bullets right now. Thanks!

Hi folks,

If you’ve been following this post from the beginning, I’d like to call out additions I made today. This info was added to address questions that have been coming in on this post and elsewhere. Thank you for your attention!

• Rollout Dates info in the top card was updated.
• Added a section for More About Navigation Bar Changes that specifies a navigation bar change that’s going out with this work.
• Added a section for More About Account Manual Correlation Flag to address a common question.
• Added a section for Deprecation of Custom Branding in Administrative UIs to call out something that was removed from these UIs.
• Added sections for Did you notify us about this previously?, Are we able to switch back to the previous user interface? and What’s next after I receive the Identity Management UIs in production? to address the project management aspects of this rollout.

This is great, however, on the Accounts tab, you are no longer able to sort the accounts by the Source Name. Can that be added? For those that have lots of accounts, you now have to weed through the non-sorted sources to find what the user has.

Hi @RArroyo -

Great question. This is one of the first enhancements we’ll be making to the accounts tab. The work to allow sorting based on source name is currently in progress. We’ll release this enhancement after identity management is promoted to production.

Hey Kirby! Thanks for putting this out there for us to do! I met with @willcashman about the Identity UI changes and I figured the meeting would be a cut and dry formal complaint or sales pitch type thing, but was surprised to discover that it was more like a casual dev session with a friend! I felt heard and felt like my contriubtion mattered. Not to mention Will was awesome with his targeted questions and how prepared he was! It didn’t feel like a waste of time and I’ll definitely do more of these if they continue to be like that! Thanks! <3

@Bakhari - Love it. Thank you! @willcashman is the Designer for the entire Identity Management experience. He and I plus our lead UI Engineer, @spencer_harder, have been co-captaining this project since late 2022. We’re very invested in the outcome.

We expect the initial release to be a substantial improvement over what’s being replaced. Furthermore, we see the new experience as a platform that will grow over time. We’re only able to achieve our ambitions with great user engagement. Thank you for your time!

Remove is back!

image1920×1002 100 KB