This feature aids the management of aliases on an Identity System. It provides changed alias data to a post process workflow so that syncing of the changes to a target system can be done. An alias can be considered as a proxy email that can be configured on mail servers, which can have a destination/deliverable address (a valid email id). When mail is sent to an alias, it will be redirected to the destination address. A typical usage scenario would be an individual who has multiple roles and has different email ids(aliases) based on role and needs all the email ids (aliases) directed to a single mail box.
The management of aliases can be performed:
• by the User himself, through my profile tab in self service
• by an OBO who has rights to manage the user profile, through Users tab in self-service.
• Pre-defined aliases are created during user provisioning, if the user profile qualifies the alias Configuration.
The alias creation configuration is created in the admin UI. When a user, who qualifies for the configuration, logs into the self-service UI, he will see the aliases generated or a text box to key in aliases, based on the type of configuration he qualifies for. The user chooses the aliases and destination address and saves it, based on the permission he got from qualified alias configurations. The saved alias information along with user info will be passed to a post process workflow which is selected in the qualified configuration.
Below listed section will detail about the configurations to be done in Alias management feature.
Cooling period aliases - Legacy load
The legacy aliases which are in a cooling period can be uploaded here in a predetermined format explained below.
(The CSV or TXT file should have entries in the format: alias, end date (MM/dd/yyyy) For eg: email@example.com,01/26/2019)
Configuration Property to generate alias
Set the Modify Configuration for: ► Provisioning Policy Generate and Assign Aliases to "True" in order to generate an alias while creating the user.
Alias management configuration - Admin UI
The configuration based on which the aliases of profiles is managed can be created from can be done from the Alias management listing administration UI as shown below. Multiple configurations can be created for an organization and user will get the aliases generated based on all the qualified configurations. Clicking on add button will take you to a detail UI which will have many sub sections that will used for the creation/generation of aliases.
Elements and Descriptions
Locale: Select the preferred language (default: English) and configure Specific values for New User Creation UI Label and Display Name.
Note: English values must be configured before adding other locale specific values.
Name : Enter the name that describes the alias configuration.
Description: Enter the description text of the alias configuration.
Type: Enter the mode of alias generation. The modes available are
|User qualification criteria : Select a security group to be used as the beneficiary to qualify the alias configuration. Multiple user groups can be selected for a configuration.|
Alias generation rules : The rules define how an alias is to be generated. Rule generation uses product attributes that have database column mapping and literals as building blocks to create rules. For example, a sample rule filter will be [substring(Person-Lastname,LEFT,1)][Person-Firstname] which is a concatenation of first letter of last name +First name as a whole.
Multiple rules can be configured in a configuration and they have a priority as per the listed order in the Configuration Detail Page UI.
|Pick Rule : Click the Pick Rule button to view the list of available rules (system and custom).|
|Add Custom Rule : Click the Add Custom Rule button to create a new custom rule view to use in the in the alias configuration.|
|Move Up/Down : Click the Move Up/Down button to increase/decrease the priority of the rule in the configuration.|
Edit Rule : Click the Edit Rule button to edit a custom rule.
Rules can have one of the action types Skip or Increment:
Domain Configuration : The domains selected/added here will be available for use by qualified user (s) in the Self-Service UI while creating an alias.
Blacklisted words Configuration : The configuration of the list of words to be disallowed in an alias name is managed in this section.
Note: The TXT file should have one word per line
Generate Deliverables : For profiles which qualify for Generated-Assigned type configuration, deliverable are to be automatically generated, as no manual intervention is possible. For this configure a list of rules to generate deliverables, this section will be displayed for "Generated-Assigned" type only. In this section, like we did in alias generation rules, with which the deliverables will be generated. According to the rules selected in the section and deliverable domain (explained below) configured, deliverable addresses is are generated.
Below are the actions that can be performed in the rule listing section.
Deliverable domain : Enter a valid domain for generating deliverable address
Other Configurations: Below listed are the miscellaneous configurations of the feature.
This section helps you to add configurations by which an alias or a deliverable can be validated. This section will be displayed for “Generated-Selected” and “Manual” types only. The
validation occurs when generating aliases or deliverables from self-service. The following validations options are supported:
- Regular Expression
- Database Query
- LDAP Query
Add a data validation Configuration
Click the Add button to show data validation configuration page and Save after the validations using Save Validation button.
Test Validation script
Test scripts can be validated by clicking the Test button.
Managing Aliases from Self-Service
Aliases can be managed in 3 possible ways from self-service UI. The options are given below:
- A User can manage his own aliases from My Profile tab
- OBO can manage others users' aliases from Users tab
- Client admin can manage aliases in cooling period
Manage Aliases -By User
In order to avail the alias management UI for a logged in User, the Administrator has to add Alias Management feature to the Self service security policy from Admin UI.
Alias Management UI -My Profile
Once the above configuration is complete, a self-service user can manage his own aliases. The management capabilities may vary per alias, based on the permissions in the alias management configurations which generated the respective aliases.
If the user has permissions to manage his deliverables, he will see the Manage Deliverables panel as the first panel in which he will be able to configure the deliverables, which can be used for setting the destination address of aliases. If not, he will see the manage aliases panel as the first panel.
Once deliverables are created, they will be listed in the Manage alias section used for setting the destination address.
Manage Aliases -By OBO
In order to manage alias from Users tab by OBO, Manage aliases should be checked in the User Management configuration.
Alias management UI -Users tab
Once this configuration is complete, an OBO can manage the aliases of users who he is allowed to administer. The management capabilities here may vary per alias, based on the permissions set in the alias management configurations used to generate the respective aliases. Once the user management action Manage Alias is selected, OBO will see the same three panels as My Profile, where he can manage the aliases.
Manage cooling period Aliases
In order to access the cooling alias management UI for a logged in User, Administrator have to add that user to 'Iaas Client Administrators' security user group from the Admin UI. Also, the user must be configured to manage cooling period aliases. This user should be added under Client Administration Configuration -> Alias Cooling Period Management.
Cooling period alias management UI - Admin tab
A client admin (who qualifies for the above configuration, can manage the cooling period from the Admin -> ALIAS Tab. The possible actions he can take are listed below:
- edit retention period and set to a prior or future date.
- delete aliases from cooling aliases list.
Cooling period aliases - Bulk Load
The bulk load of aliases in the cooling period is kept as a common configuration, in the alias config listing page, user will be allowed to upload the aliases in the cooling period. The details are explained in a previous section Global Configuration.
Alias Initial Load – Identity Hub
A new execution mode – Alias Initial Load is available in Identity Hub to handle the initial load of aliases.
An initial load can be done in two ways:
1. Legacy aliases can be loaded by using a look-up system from where the details of aliases can be mapped to the alias schema/ attributes. This can be used for cases where aliases already exist in an implementation and you wish to manage/migrate them using Idm.
2. By using the mapper rule (Generate and Assign Alias) as shown in the image below. This will be helpful to a system where the concept of alias is to be implemented afresh. Using this rule aliases can be generated for an exported list of users, if they qualify for any of the ‘Generated-Assigned’ type of Alias configuration.
The Identity hub expects profile data along with multi valued alias data with the appropriate change type be passed in, so as to persist the aliases. Typical alias data will be made available as a file with comma
separated values and looked up against a flat file connector -using a unique identifier against corresponding database column- to correlate the alias data with user data being exported from the product (normally FUP).