Identity Cloud identity schema
Identity Cloud uses a default identity schema to organize users, roles, assignments, groups, organizations, and applications. The following diagram shows the identity schema relationships:
For more information on the Identity Cloud identity schema, refer to Summary of the identity schema.
You can customize the default identity schema to your business needs in the following ways:
-
Create custom attributes to store identity information specific to your business.
-
Create indexable custom attributes that let you search your identities and create customized segments.
-
Create organizations to structure your identities in a flexible and performant way.
For examples of customizing the Identity Cloud identity schema, refer to Use cases for customizing the identity schema.
Summary of the identity schema
-
Users, roles, assignments, groups, organizations, and applications form the default identity schema. Their relationships are also part of the default schema.
-
Users are hybrid identity objects:
-
Their default attributes are explicitly defined in the schema, with indexes also explicitly defined for certain attributes.
-
You can add custom attributes to them. However, the attributes are stored in an unindexed JSON data structure.
-
If you need a custom attribute for a user to be searchable, use an indexed general purpose extension attribute instead of a custom attribute.
-
-
Roles, assignments, groups, organizations, and applications are generic identity objects:
-
None of their attributes are explicitly defined in the schema, and instead they are entirely stored in an indexed JSON data structure.
-
You can add custom attributes to them, and they will also be indexed.
-
-
You can create custom identity objects. These custom identity objects are also generic. This means that they are entirely stored in an indexed JSON data structure.
|
The following table summarizes the identity schema:
| Identity object | Type | Indexes on default attributes? | Indexes on custom attributes? |
|---|---|---|---|
Users |
Hybrid |
Yes |
No |
Roles |
Generic |
Yes |
Yes |
Custom |
Generic |
n/a |
Yes |
Use cases for customizing the identity schema
The following are examples of how you might customize the default schema to support a media service:
-
Add a custom attribute for membership level to user identities to support subscription-level access or rate limiting. For example, the membership levels might be "gold", "silver", and "bronze".
-
Add a custom attribute for registration level to user identities to support access to premium content or to support progressive profiling in journeys. For example, the registration levels might be "guest", "pending", and "registered".
-
Adapt a general purpose extension attribute to be a searchable user attribute for date of birth to support age-restricted access. Use the attribute to support delegated administration for different age segments, allowing separate users to administrate adults and children.
-
Create organizations to structure user relationships between family members to support parental control.
The following are examples of how you might customize the default schema to support workforce:
-
Add custom attributes for job code, department number, or cost center to user identities to support the automatic provisioning of birthright roles.
-
Add custom attributes for external ID and metadata to user identities to support synchronisation using System for Cross-domain Identity Management (SCIM).
Customize user identities
You can customize user identities by adding your own attributes. This lets you store more useful information about each user such as the user’s department, cost centers, application preferences, device lists, and so on.
Identity Cloud offers the following strategies to extend user identities:
Create custom attributes
You can create new custom attributes directly on user identities. Custom attributes must be
prefixed with custom_; for example, custom_department.
| Identity Cloud does not support searching on custom attributes, which can sometimes render an environment unresponsive. Instead, if you need to make a particular attribute searchable, use an indexed extension attribute. Refer to Use general purpose extension attributes. |
To create a custom attribute:
-
In the Identity Cloud admin UI, click Native Consoles > Identity Management.
-
In the IDM admin UI, go to Configure > Managed Objects.
-
Click Alpha_user or Bravo_user.
-
Click + Add a Property. This scrolls the page to the bottom and automatically focuses on the Name input field.
-
In the Name input field, enter a new attribute name prefixed with
custom_; for example, entercustom_department. -
In the Label input field, optionally enter a display name for the new attribute.
-
Click Save.
Use general purpose extension attributes
You can use the general purpose extension attributes that already exist on user identities. These attributes are predefined as part of the default identity schema. The following extension attributes are indexed, so you can use them as searchable attributes:
-
Generic Indexed String 1–5
-
Generic Indexed Multivalue 1–5
-
Generic Indexed Date 1–5
-
Generic Indexed Integer 1–5
To use an extension attribute:
-
In the Identity Cloud admin UI, click Native Consoles > Identity Management.
-
In the IDM admin UI, go to Configure > Managed Objects.
-
Click Alpha_user or Bravo_user.
-
Find an extension attribute that has one of the following default labels:
-
Generic Indexed String 1–5 or Generic Unindexed String 1–5
-
Generic Indexed Multivalue 1–5 or Generic Multivalue String 1–5
-
Generic Indexed Date 1–5 or Generic Date String 1–5
-
Generic Indexed Integer 1–5 or Generic Integer String 1–5
If you need to make the attribute searchable, make sure you use an indexed extension attribute.
-
-
Click the pen icon () to edit the attribute.
-
In the Readable Title input field, enter a custom label. For example,
Department. -
Click Save.