Documentation forAccess Rights Manager

Customize AD attributes properties

You can define "properties details" to AD attributes to standardize and simplify the process of creating new AD objects.

Note that values entered with customized templates are not subject to the restrictions defined here.

The following properties are available:

 

AliasDisplayName

Sets an alternate display name for the use in ARM.

Example

<l>
  <AliasDisplayName type="System.String">City</AliasDisplayName>
</l>

 

AllowOnlyDefinedValues

Only predefined values can be selected. Use it together with DefinedValues.

Example

<postalCode>
  <AllowOnlyDefinedValues type="System.String">true</AllowOnlyDefinedValues>
  <DefinedValues type="System.String">12345;67890</DefinedValues>
</postalCode>

 

DefinedValues

The predefined values for the attribute, separated by semicolons. The values are available in Access Rights Manager as a drop down list. Use it together with AllowOnlyDefinedValues.

Example

<postalCode>
  <AllowOnlyDefinedValues type="System.String">true</AllowOnlyDefinedValues>
  <DefinedValues type="System.String">12345;67890</DefinedValues>
</postalCode>

 

CreationRule

Defines a creation rule for the attribute.

Example

<mail>
  <CreationRule type="System.String">{givenname}.{sn}@[fqdn]</CreationRule>
</mail>

 

ValidationRule

Regular expression for checking the entered value. Use it together with ValidationInformation.

Example

<telephoneNumber>
  <ValidationRule type="System.String">^[+]\d{1,4}[ ][^0]\d{1,5}[ ]\d{1,32}[-]\d{1,8}</ValidationRule>
  <ValidationInformation type="System.String">The phone number does not match the requirements.</ValidationInformation>
</telephoneNumber>

For help with regular expressions we recommend https://regex101.com.

 

ValidationInformation

Displays a help text for the validation rule. Use it together with ValidationRule.

Example

<telephoneNumber>
  <ValidationRule type="System.String">^[+]\d{1,4}[ ][^0]\d{1,5}[ ]\d{1,32}[-]\d{1,8}</ValidationRule>
  <ValidationInformation type="System.String">The phone number does not match the requirements.</ValidationInformation>
</telephoneNumber>

 

IsRequired or Essential

The input is mandatory.

Example

<streetAddress>
  <IsRequired type="System.String">true</IsRequired>
</streetAddress>

 

IsHidden

The Attribute is hidden in all Access Rights Manager views and reports.

Example

<streetAddress>
  <IsHidden type="System.String">true</IsHidden>
</streetAddress>

 

IsChangeable

If set to false the value can not be modified within Access Rights Manager. Not valid for creating objects. See also: IsInitialConfigurable

Example

<streetAddress>
  <IsChangeable type="System.String">true</IsChangeable>
</streetAddress>

 

IsInitialConfigurable

If set to true the value can be modified during creating objects. See also: IsChangeable

Example

<streetAddress>
  <IsInitialConfigurable type="System.String">true</IsInitialConfigurable>
</streetAddress>

 

SortIndex

Allows you to define the display order of the properties in the Account view, Creation overlay, and Edit overlay using an integer value. The smaller the value, the higher the attribute is placed.

Example

<streetAddress>
  <SortIndex type="System.String">1500</SortIndex>
</streetAddress>

Please refer to the list of default LDAP properties and sort index values below.

 

IsObjectSearchable

If set to true, the attribute is included in the ARM search for AD objects.

Example

<streetAddress>
  <IsObjectSearchable type="System.String">true</IsObjectSearchable>
</streetAddress>

 

LDAP attributes that are read by default, and their sort index values

The following LDAP attributes Access Rights Manager reads by default during an AD scan:

LDAP Attribute SortIndex Default
"accountexpires" 1000
"admincount" 2000
"cn" 3000
"comment" 4000
"company" 5000
"dc" 6000
"department" 7000
"description" 8000
"distinguishedname" 9000
"displayname" 10000
"employeeid" 11000
"employeetype" 11500
"flags" 12000
"givenname" 13000
"grouptype" 14000
"homedirectory" 15000
"homedrive" 16000
"homephone" 17000
"info" 18000
"initials" 19000
"jpegphoto" 50000
"thumbnailphoto" 51000
"lastlogon" 20000
"lastlogontimestamp" 21000
"managedby" 21250
"manager" 21500
"mail" 22000
"member" 23000
"memberof" 24000
"mobile" 25000
"name" 26000
"objectclass" 27000
"objectguid" 28000
"objectsid" 29000
"operatingsystem" 30000
"operatingsystemservicepack" 31000
"operatingsystemversion" 32000
"ou" 33000
"personaltitle" 34000
"primarygroupid" 35000
"profilepath" 36000
"proxyaddresses" 36500
"samaccountname" 37000
"samaccounttype" 38000
"scriptpath" 39000
"sidhistory" 40000
"sn" 41000
"subrefs" 42000
"systemflags" 43000
"telephonenumber" 44000
"title" 45000
"useraccountcontrol" 46000
"userprincipalname" 47000

 

Set attributes available to web client scenarios

For the action "Change personal information" - available in the cockpit and some web client scenarios - Access Rights Manager loads a standard set of attributes. The standard set is the same for all roles. You can adjust which attributes are available for each ARM role.

To do this, you need to extend the pnserver.config.xml located at the following location:

%programdata%\protected-networks.com\8MAN\cfg

The changes will be applied without restarting the Access Rights Manager service.

 

Example

The line numbers are for explanation purposes only.

01 <WebClient.Cockpit.ChangeAttributes.Manager>

02 postalCode;l;physicalDeliveryOfficeName;telephoneNumber;facsimileTelephoneNumber

03 </WebClient.Cockpit.ChangeAttributes.Manager>

 

Line 01 and 03

Specify which role the configuration should apply to. The following roles are possible:

Access Rights Manager role

WebClient.Cockpit.ChangeAttributes.Administrator

WebClient.Cockpit.ChangeAttributes.JuniorAdministrator

WebClient.Cockpit.ChangeAttributes.DataOwner0

WebClient.Cockpit.ChangeAttributes.DataOwner1

WebClient.Cockpit.ChangeAttributes.DataOwner2

WebClient.Cockpit.ChangeAttributes.DataOwner3

WebClient.Cockpit.ChangeAttributes.DataOwner4

WebClient.Cockpit.ChangeAttributes.Read

WebClient.Cockpit.ChangeAttributes.Requester

WebClient.Cockpit.ChangeAttributes.Manager

 

Self Service in the cockpit: "Change my personal information"

WebClient.Cockpit.ChangeAttributes.SelfService

 

Line 02

List of attributes to be available. You can only use attributes that are included in the AD scan.