PingDirectory

Security considerations

The primary security consideration for composed attributes is that they can expose the values of other attributes.

For example, if the cn attribute is composed from the values of the givenName and sn attributes, then a user with permission to read the cn attribute could determine the values of the givenName and sn attributes even if they do not have permission to read these attributes directly.

This is not typically a significant concern, and you can address it by ensuring that the user’s access-control configuration restricts access to source attributes used in a composed attribute value pattern and imposes similar restrictions to the composed attribute.