Customize AD attributes properties
You can define "properties details" to AD attributes to standardize and simplify the process of creating new AD objects.
Note that values entered with customized templates are not subject to the restrictions defined here.
The following properties are available:
AliasDisplayName
Sets an alternate display name for the use in ARM.
Example
<l>
<AliasDisplayName type="System.String">City</AliasDisplayName>
</l>
AllowOnlyDefinedValues
Only predefined values can be selected. Use it together with DefinedValues.
Example
<postalCode>
<AllowOnlyDefinedValues type="System.String">true</AllowOnlyDefinedValues>
<DefinedValues type="System.String">12345;67890</DefinedValues>
</postalCode>
DefinedValues
The predefined values for the attribute, separated by semicolons. The values are available in Access Rights Manager as a drop down list. Use it together with AllowOnlyDefinedValues.
Example
<postalCode>
<AllowOnlyDefinedValues type="System.String">true</AllowOnlyDefinedValues>
<DefinedValues type="System.String">12345;67890</DefinedValues>
</postalCode>
CreationRule
Defines a creation rule for the attribute.
Example
<mail>
<CreationRule type="System.String">{givenname}.{sn}@[fqdn]</CreationRule>
</mail>
ValidationRule
Regular expression for checking the entered value. Use it together with ValidationInformation.
Example
<telephoneNumber>
<ValidationRule type="System.String">^[+]\d{1,4}[ ][^0]\d{1,5}[ ]\d{1,32}[-]\d{1,8}</ValidationRule>
<ValidationInformation type="System.String">The phone number does not match the requirements.</ValidationInformation>
</telephoneNumber>For help with regular expressions we recommend https://regex101.com.
ValidationInformation
Displays a help text for the validation rule. Use it together with ValidationRule.
Example
<telephoneNumber>
<ValidationRule type="System.String">^[+]\d{1,4}[ ][^0]\d{1,5}[ ]\d{1,32}[-]\d{1,8}</ValidationRule>
<ValidationInformation type="System.String">The phone number does not match the requirements.</ValidationInformation>
</telephoneNumber>
IsRequired or Essential
The input is mandatory.
Example
<streetAddress>
<IsRequired type="System.String">true</IsRequired>
</streetAddress>
IsHidden
The Attribute is hidden in all Access Rights Manager views and reports.
Example
<streetAddress>
<IsHidden type="System.String">true</IsHidden>
</streetAddress>
IsChangeable
If set to false the value can not be modified within Access Rights Manager. Not valid for creating objects. See also: IsInitialConfigurable
Example
<streetAddress>
<IsChangeable type="System.String">true</IsChangeable>
</streetAddress>
IsInitialConfigurable
If set to true the value can be modified during creating objects. See also: IsChangeable
Example
<streetAddress>
<IsInitialConfigurable type="System.String">true</IsInitialConfigurable>
</streetAddress>
SortIndex
Allows you to define the display order of the properties in the Account view, Creation overlay, and Edit overlay using an integer value. The smaller the value, the higher the attribute is placed.
Example
<streetAddress>
<SortIndex type="System.String">1500</SortIndex>
</streetAddress>Please refer to the list of default LDAP properties and sort index values below.
IsObjectSearchable
If set to true, the attribute is included in the ARM search for AD objects.
Example
<streetAddress>
<IsObjectSearchable type="System.String">true</IsObjectSearchable>
</streetAddress>
LDAP attributes that are read by default, and their sort index values
The following LDAP attributes Access Rights Manager reads by default during an AD scan:
| LDAP Attribute | SortIndex Default |
|---|---|
| "accountexpires" | 1000 |
| "admincount" | 2000 |
| "cn" | 3000 |
| "comment" | 4000 |
| "company" | 5000 |
| "dc" | 6000 |
| "department" | 7000 |
| "description" | 8000 |
| "distinguishedname" | 9000 |
| "displayname" | 10000 |
| "employeeid" | 11000 |
| "employeetype" | 11500 |
| "flags" | 12000 |
| "givenname" | 13000 |
| "grouptype" | 14000 |
| "homedirectory" | 15000 |
| "homedrive" | 16000 |
| "homephone" | 17000 |
| "info" | 18000 |
| "initials" | 19000 |
| "jpegphoto" | 50000 |
| "thumbnailphoto" | 51000 |
| "lastlogon" | 20000 |
| "lastlogontimestamp" | 21000 |
| "managedby" | 21250 |
| "manager" | 21500 |
| "mail" | 22000 |
| "member" | 23000 |
| "memberof" | 24000 |
| "mobile" | 25000 |
| "name" | 26000 |
| "objectclass" | 27000 |
| "objectguid" | 28000 |
| "objectsid" | 29000 |
| "operatingsystem" | 30000 |
| "operatingsystemservicepack" | 31000 |
| "operatingsystemversion" | 32000 |
| "ou" | 33000 |
| "personaltitle" | 34000 |
| "primarygroupid" | 35000 |
| "profilepath" | 36000 |
| "proxyaddresses" | 36500 |
| "samaccountname" | 37000 |
| "samaccounttype" | 38000 |
| "scriptpath" | 39000 |
| "sidhistory" | 40000 |
| "sn" | 41000 |
| "subrefs" | 42000 |
| "systemflags" | 43000 |
| "telephonenumber" | 44000 |
| "title" | 45000 |
| "useraccountcontrol" | 46000 |
| "userprincipalname" | 47000 |
Set attributes available to web client scenarios
For the action "Change personal information" - available in the cockpit and some web client scenarios - Access Rights Manager loads a standard set of attributes. The standard set is the same for all roles. You can adjust which attributes are available for each ARM role.
To do this, you need to extend the pnserver.config.xml located at the following location:
%programdata%\protected-networks.com\8MAN\cfg
The changes will be applied without restarting the Access Rights Manager service.
Example
The line numbers are for explanation purposes only.
01 <WebClient.Cockpit.ChangeAttributes.Manager>
02 postalCode;l;physicalDeliveryOfficeName;telephoneNumber;facsimileTelephoneNumber
03 </WebClient.Cockpit.ChangeAttributes.Manager>
Line 01 and 03
Specify which role the configuration should apply to. The following roles are possible:
Access Rights Manager role
WebClient.Cockpit.ChangeAttributes.Administrator
WebClient.Cockpit.ChangeAttributes.JuniorAdministrator
WebClient.Cockpit.ChangeAttributes.DataOwner0
WebClient.Cockpit.ChangeAttributes.DataOwner1
WebClient.Cockpit.ChangeAttributes.DataOwner2
WebClient.Cockpit.ChangeAttributes.DataOwner3
WebClient.Cockpit.ChangeAttributes.DataOwner4
WebClient.Cockpit.ChangeAttributes.Read
WebClient.Cockpit.ChangeAttributes.Requester
WebClient.Cockpit.ChangeAttributes.Manager
Self Service in the cockpit: "Change my personal information"
WebClient.Cockpit.ChangeAttributes.SelfService
Line 02
List of attributes to be available. You can only use attributes that are included in the AD scan.