Identity Cloud

Identity Cloud identity schema

Identity Cloud uses a default identity schema to organize users, roles, assignments, and organizations. The following diagram shows the schema relationships:

idcloud identity schema

For more information on the Identity Cloud identity schema, refer to Managed objects.

Identity schema summary

  • Users, roles, assignments, and organizations form the default identity schema. Their relationships are also part of the default schema.

    Adding additional relationships to the default schema is not supported in Identity Cloud. Instead, you can use organizations to create flexible, performant identity structures.

  • Users, roles, assignments, and organizations are hybrid identity objects. This means that their default attributes are explicitly defined in the schema, but you can add custom attributes that will be stored in a separate data structure outside of the schema.

  • You can create custom identity objects. These custom identity objects are generic. This means that they are entirely stored in a separate data structure outside of the schema.

    Adding relationships to custom identity objects is not supported in Identity Cloud.

Extend user identities

You can extend user identities by adding your own attributes. This lets you store more useful information about each user such as the user’s department, cost centers, application preferences, device lists, and so on.

Identity Cloud offers two strategies to extend user identities:

Create custom attributes

You can create new custom attributes directly on user identities. The following rules and caveats apply:

  • Custom attributes must be prefixed with custom_; for example, custom_department.

    Searching on custom attributes is not supported, and can in some cases render an environment unresponsive. Instead, if you need to make a particular attribute searchable, use an indexed extension attribute. Refer to Use general purpose extension attributes.

To create a custom attribute:

  1. In the Identity Cloud admin UI, click Native Consoles > Identity Management.

  2. In the IDM admin UI, go to Configure > Managed Objects.

  3. Click Alpha_user or Bravo_user.

  4. Click + Add a Property. This will scroll the page to the bottom, then automatically focus on the Name input field for new attributes.

  5. In the Name input field, enter a new attribute name prefixed with custom_; for example, enter custom_department.

  6. In the Label input field, optionally enter a display name for the new attribute.

  7. Click Save.

Use general purpose extension attributes

You can use the general purpose extension attributes that already exist on user identities. These attributes are predefined as part of the default identity schema. The following extension attributes are indexed, so you can use them as searchable attributes:

  • Generic Indexed String 1–5

  • Generic Indexed Multivalue 1–5

  • Generic Indexed Date 1–5

  • Generic Indexed Integer 1–5

To use an extension attribute:

  1. In the Identity Cloud admin UI, click Native Consoles > Identity Management.

  2. In the IDM admin UI, go to Configure > Managed Objects.

  3. Click Alpha_user or Bravo_user.

  4. Find an extension attribute that still has one of the following default labels:

    • Generic Indexed String 1–5 or Generic Unindexed String 1–5

    • Generic Indexed Multivalue 1–5 or Generic Multivalue String 1–5

    • Generic Indexed Date 1–5 or Generic Date String 1–5

    • Generic Indexed Integer 1–5 or Generic Integer String 1–5

      If you need to make the attribute searchable, make sure you use an indexed extension attribute.

  5. Click the pen icon () to edit the attribute.

  6. In the Readable Title input field, enter a custom label. For example, Department.

  7. Click Save.

Copyright © 2010-2023 ForgeRock, all rights reserved.