--- title: Configuring attributes and attribute search on the PingDirectory server description: Use the Delegated Admin installation file to configure attributes and attribute search. component: pingdirectory version: 11.0 page_id: pingdirectory:delegated_admin_application_guide:pd_da_config_attr_search_pd_server canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/delegated_admin_application_guide/pd_da_config_attr_search_pd_server.html revdate: September 18, 2023 page_aliases: ["pd_da_constructed_attributes.adoc", "pd_da_set_attribute_read_only.adoc"] section_ids: about-this-task: About this task steps: Steps example: Example: example-2: Example: example-3: Example: example-4: Example: example-5: Example: example-6: Example: example-7: Example: example-8: Example: constructed-attributes: Constructed attributes setting-an-attribute-to-read-only: Setting an attribute to read-only about-this-task-2: About this task steps-2: Steps example-9: Example: example-10: Example: --- # Configuring attributes and attribute search on the PingDirectory server Use the Delegated Admin installation file to configure attributes and attribute search. ## About this task The file that installs Delegated Admin specifies the following values: * Object class of user entries through `structural-ldap-objectclass:inetOrgPerson` * Number of user attributes *(tooltip: \
\

Distinct characteristics that describe a subject. If the subject is a website user, attributes can include a name, group affiliation, email address, and attributes alike.\

\
)* to expose | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | Delegated Admin supports the following attribute types:- `Boolean` - `Integer` - `String` - `DateTime` - distinguished name (DN) *(tooltip: \
\

A name uniquely identifying an object within the hierarchy of a directory tree.\

\
)* - Custom attributes - Constructed attributes - Multivalued attributes | ## Steps 1. If necessary, change the attribute that is designated as the primary attribute. ### Example: ```shell $ bin/dsconfig set-rest-resource-type-prop \ --type-name users \ --set primary-display-attribute-type:mail ``` 2. Configure any additional user attributes to appear in Delegated Admin by specifying the Lightweight Directory Access Protocol (LDAP) *(tooltip: \
\

An open, cross platform protocol used for interacting with directory services.\

\
)* attribute type to expose and by providing a display name for it. ### Example: ```shell $ bin/dsconfig create-delegated-admin-attribute \ --type-name users \ --attribute-type customAttr \ --set "display-name:My custom attribute" ``` 3. Configure attributes with distinguished name (DN) syntax on resource types to provide a reference from one resource to another. Such an attribute is the standard LDAP `manager` attribute. The referencing resource doesn't have to be the same type of resource as the referenced resource. Delegated Admin allows the referenced resource to be selected without displaying the actual value of the DN. ### Example: In this example, the `manager` attribute is included in the users resource type, and its value is constrained to reference only resources of type `managers`. The `managers` REST Resource Type is assumed to have already been defined. ```shell $ bin/dsconfig create-delegated-admin-attribute \ --type-name users \ --attribute-type manager \ --set display-name:Manager \ --set reference-resource-type:managers ``` ### Example: Additionally, the Delegated Admin resource rights for the administrator must provide either read or reference permission to `managers`. ```shell $ bin/dsconfig create-delegated-admin-resource-rights \ --rights-name Admin \ --rest-resource-type managers \ --set enabled:true \ --set admin-permission:reference \ --set admin-scope:all-resources-in-base ``` For more information about resource rights and permissions, see [Configuring delegated administrator rights on the PingDirectory server](pd_da_config_delegated_admin_rights_pd_server.html). 4. Use the following command to set the search filter, where `%%` represents the search text entered in the web application. ### Example: ```shell $ bin/dsconfig set-rest-resource-type-prop \ --type-name users \ --set 'search-filter-pattern:(|(cn=*%%*)(mail=%%*)(uid=%%*))' ``` When search text is entered in Delegated Admin, the property `search-filter-pattern` specifies which attributes to search in the PingDirectory server. To satisfy the query, define the appropriate attribute indexes for the PingDirectory server. For more information, see the PingDirectory Server Administration Guide. 5. To manage users whose profiles feature a large number of attributes, place the attributes in logical groupings, called attribute categories, and give them a specific display order. ### Example: The following commands create attribute categories and specify their display order. ```shell $ bin/dsconfig create-delegated-admin-attribute-category \ --display-name "Basic Information" \ --set display-order-index:1 $ bin/dsconfig create-delegated-admin-attribute-category \ --display-name "Contact Information" \ --set display-order-index:2 $ bin/dsconfig create-delegated-admin-attribute-category \ --display-name "Other Attributes" \ --set display-order-index:3 ``` 6. The following example commands assign attributes to a category and specify the display order of each attribute within its category. ### Example: ```shell $ bin/dsconfig set-delegated-admin-attribute-prop \ --type-name users \ --attribute-type cn \ --set "attribute-category:Basic Information" \ --set display-order-index:1 $ bin/dsconfig set-delegated-admin-attribute-prop \ --type-name users \ --attribute-type sn \ --set "attribute-category:Basic Information" \ --set display-order-index:2 ``` Unassigned attributes are displayed in a miscellaneous category. 7. For multivalued LDAP attributes, indicate whether the application should present them as multivalued. If not specified, the attributes are presented in the application as single-valued, even if the LDAP schema definition for the attribute allows multiple values. | | | | - | ------------------------------------------------------------------------------------ | | | This setting does not apply to attributes that are handled by custom UI form fields. | ### Example: ```shell $ bin/dsconfig set-delegated-admin-attribute-prop \ --type-name users \ --attribute-type mail \ --set multi-valued:true ``` ## Constructed attributes A constructed attribute is an attribute whose value is computed from values that are assigned to other attributes. For example, the system might construct a full- or common-name attribute, `cn`, from values that are assigned to the standard `givenName` and `sn` attributes, as follows: ``` dsconfig create-constructed-attribute \ --attribute-name ReqConstructedCN --set attribute-type:cn \ --set 'value-pattern:{givenName} {sn}' ``` Beginning with Delegated Admin 3.5.0 and PingDirectory server 7.3.0.1, the value of a constructed attribute can be updated automatically whenever the value of a source attribute is created or when it is edited. ``` dsconfig set-rest-resource-type-prop \ --type-name users \ --set post-create-constructed-attribute:ReqConstructedCN \ --set update-constructed-attribute:ReqConstructedCN ``` In these examples, a change to the value of `givenName` or `sn` forces a corresponding change to the value of `cn`. Attributes that contribute to a required constructed attribute are identified in the UI as **Required** even if they were not originally designated as such. Because `cn` is a required attribute in this example, `givenName` and `sn` are also required. | | | | - | --------------------------------------------------------------------------------------- | | | An attribute's capability of being changed after its creation is called its mutability. | As with standard attributes, constructed attributes are stored as LDAP *(tooltip: \
\

An open, cross platform protocol used for interacting with directory services.\

\
)* attributes in a database like the PingDirectory server. ## Setting an attribute to read-only ### About this task Beginning with Delegated Admin 3.5.0 and PingDirectory 7.3.0.1, you can set user access to standard and constructed attributes to `read-only` and `read/write`. You should restrict access to constructed attributes to `read-only`. Read-only attributes do not appear on the UI pages that are associated with the creation of users groups and other objects. ### Steps * Use the `dsconfig` tool to set a standard or constructed attribute as `read-only`. #### Example: ``` dsconfig set-delegated-admin-attribute \ --type-name users \ --attribute-type modifyTimestamp \ --set mutability:read-only ``` #### Example: The following example resets a standard or constructed attribute from `read-only` to `read/write`: ``` dsconfig set-delegated-admin-attribute \ --type-name users \ --attribute-type modifyTimestamp \ --reset mutability ```