PingOne Advanced Identity Cloud

Customize managed object types

You can customize Advanced Identity Cloud managed object types to suit your organization’s needs. This allows you to store additional information, such as a user’s department, a role’s associated cost center, or a device’s operating system, directly on the relevant managed object types.

The Advanced Identity Cloud schema includes several managed object types that you can customize:

  • User: The default managed object type for end users, which includes common properties such as name, email, and phone number.

  • Roles, assignments, groups, and organizations: Default managed object types used to manage access and organizational structure.

  • Custom: Any managed object type you create to represent unique entities in your organization, such as devices.

Advanced Identity Cloud does not support the modification of application object types.

Learn more about the Advanced Identity Cloud identity schema in Advanced Identity Cloud identity schema.

Customize user managed object types

You can customize user managed object types by either adding custom properties or using existing general purpose extension properties. This lets you store additional profile data such as department, cost center, application preferences, and device lists.

Custom properties

Use custom properties when you need flexible, non-searchable data for journeys and scripts.

These properties are stored in an unindexed JSON data structure, so they aren’t searchable. However, you can access them in your scripts and use them to make dynamic decisions in your journeys.

Learn how to manage custom properties.

General purpose extension properties

Use general purpose extension properties when the data must be searchable or filterable.

These are predefined properties that are part of the default user identity schema. Some of these properties are indexed, so you can search and filter on them.

Learn how to manage general purpose extension properties.

Advanced Identity Cloud doesn’t support searching on user identity custom properties, which can sometimes render an environment unresponsive. Instead, if you need to make a particular user identity property searchable, use an indexed extension property. Learn more in Manage general purpose extension properties.

Manage general purpose extension properties

You can use the general purpose extension properties that already exist on user identities. These properties are predefined as part of the default identity schema. The following extension properties are indexed, so you can use them as searchable properties:

  • Generic Indexed String 1–20

  • Generic Indexed Multivalue 1–5

  • Generic Indexed Date 1–5

  • Generic Indexed Integer 1–5

Customize an extension property

You can only change the display label of an extension property. You can’t change its underlying data type (for example, from String to Integer).

  1. In the Advanced Identity Cloud admin console, go to people Identities > Configure.

  2. Click the managed object type, for example, Alpha realm - User or Bravo realm - User.

  3. Click Properties in the left menu pane.

  4. Find an extension property that has one of the following default labels:

    • Generic Indexed String 1–20 or Generic Unindexed String 1–5, 6–20[1]

    • Generic Indexed Multivalue 1–5 or Generic Multivalue String 1–5

    • Generic Indexed Date 1–5 or Generic Date String 1–5

    • Generic Indexed Integer 1–5 or Generic Integer String 1–5

      If you need to make the property searchable, make sure you use an indexed extension property.

  5. Click on the property to edit it.

  6. In the Display Label (optional) field, enter a custom label. For example, Department.

  7. Click Save.

Customize role, assignment, group, and organization managed object types

You can customize role, assignment, group, and organization managed object types by adding properties to their default schema. This lets you store more useful information about each identity such as a description of a role or group, or the cost center for an organization.

Any custom property you add to a role, assignment, group, or organization is automatically indexed and searchable. Because of this automatic indexing, it’s recommended that you add no more than 12 custom properties each to each of these object types. Adding too many indexed properties can negatively impact the performance of your tenant environments.

Learn how to manage custom properties.

Customize custom managed object types

You can add properties to any custom managed object types you’ve created. This lets you store useful information about each identity, such as the device type and operating system for a custom managed object type that represents devices.

Learn how to manage custom properties.

Manage custom properties

You can create and modify custom properties directly on the managed object types to store additional information about the object.

Create a custom property

  1. In the Advanced Identity Cloud admin console, go to people Identities > Configure.

    The console displays the list of managed object types in the current realm.

  2. Click the managed object type, for example, Alpha realm - User or Bravo realm - User.

  3. Click the Properties tab and click add Add a Property.

  4. Select the property type and click Next.

  5. Enter the following details in the New [type] Property modal:

    1. In the Property Key field, enter a unique identifier for the property. The property key can only include alphanumeric characters and underscores.

      For user managed object types, all custom properties are automatically prefixed with custom_. For example, if you enter department as the property key, the full property name will be custom_department.

    2. Complete the optional settings for the new property.

    3. Select the Multi-valued checkbox if the property holds multiple values. This is applicable only to String, Number, and Object property types.

    4. Select the Required checkbox if the property is required.

The Required policy is enforced only when an identity is created, not when it is updated. This means you can bypass the policy by updating the identity and setting the property to an empty value. To prevent this, select Required in the admin console and add a not-empty policy for the same property using the REST API. Learn more in Apply policies to managed objects.

  1. Do one of the following:

    • Click Save to save the property with default settings.

    • Click Switch to advanced setup to configure additional property settings in a wizard.

    • If you’re creating an Object type property, click Next to define nested properties.

  2. Complete the additional property settings as necessary, and click Save when you’re done.

Learn more about configuring property settings in Property settings reference.

Modify a custom property

If you modify a managed object type, review any existing objects of that type to ensure that they’re still valid. For example, if you make a property required, make sure that all existing objects of that type have a value for that property.

  1. In the Advanced Identity Cloud admin console, go to people Identities > Configure.

  2. Click the managed object type that contains the property you want to modify.

  3. In the left menu pane, click Properties.

  4. Locate and click the property you want to edit.

  5. Update the property settings and click Save.

Delete a custom property

If you don’t delete all data stored in the custom property before deleting the property, you might see errors when running subsequent reconciliations.

To delete a user identity custom property:

  1. Get an access token created with the fr:idm:* scope.

  2. Delete all data stored in the custom property for all users that have data in the property:

    1. Find all users with data stored in the custom property:

      Show request 
      $ curl -G \
--request GET 'https://<tenant-env-fqdn>/openidm/managed/alpha_user' \(1)
--header 'Content-Type: application/json' \
--header 'Accept-API-Version: resource=1.0' \
--header 'Authorization: Bearer <access-token>' \(2)
--data-urlencode '_fields=userName,givenName,sn,mail,accountStatus,<custom-property>' \(3)
--data-urlencode '_queryFilter=<custom-property> pr'(3)
      1 Replace <tenant-env-fqdn> with the FQDN of your tenant environment.
      2 Replace <access-token> with the access token created in step 1.
      3 Replace <custom-property> with the name of the custom property (for example, custom_department). The pr operator means "present", so this query finds all users where the custom property has a value.
      Example response 
      {
  "result": [
    {
      "_id": "ce3c42e2-6f9c-4451-8590-9ee40fad3f83",
      "_rev": "2c83eb63-7445-4aa6-a585-1c7dbe58b3a8-29020",
      "custom_department": "Accounts",
      "givenName": "Barbara",
      "accountStatus": "active",
      "sn": "Jensen",
      "mail": "babs.jensen@example.com",
      "userName": "bjensen"
    }
  ],
  "resultCount": 1,
  "pagedResultsCookie": null,
  "totalPagedResultsPolicy": "NONE",
  "totalPagedResults": -1,
  "remainingPagedResults": -1
}

    2. For each user you found in the previous step, delete the data stored in the custom property:

      Show request 
      $ curl \
--request PATCH 'https://<tenant-env-fqdn>/openidm/managed/alpha_user/<user-id>' \(1)(2)
--header 'Content-Type: application/json' \
--header 'Accept-API-Version: resource=1.0' \
--header 'Authorization: Bearer ' \(3)
--data '[
  {
    "operation":"remove",
    "field":"/<custom-property>"(4)
  }
]'
      1 Replace <tenant-env-fqdn> with the FQDN of your tenant environment.
      2 Replace <user-id> with the ID of the user identity; for example, ce3c42e2-6f9c-4451-8590-9ee40fad3f83.
      3 Replace <access-token> with the access token created in step 1.
      4 Replace <custom-property> with the name of the custom property (for example, custom_department) to delete from the user.

      The response should show the updated user with the custom property removed.

  3. Run a full reconciliation.

  4. Remove the custom property from the schema:

    1. In the Advanced Identity Cloud admin console, go to people Identities > Configure.

    2. Click the managed object type that contains the property you want to delete.

    3. Click Properties in the left menu pane.

    4. Locate the property you want to delete, click more_horiz and select delete Delete.

    5. Click Delete to confirm the deletion.

Property settings reference

Use the following tabs to configure settings for a managed object type’s property.

Details

Enter the basic details for the property such as its display label and description. You can also set the Property Format; be aware that changing this value clears any existing validation rules.

Select the Required checkbox if a property value is required. This setting also causes it to appear as a field in the UI when you create a new object of that type.

The Required policy is enforced only when an identity is created, not when it’s updated. This means you can bypass the policy by updating the identity and setting the property to an empty value. To prevent this, select Required in the admin console and add a not-empty policy for the same property using the REST API. Learn more in Apply policies to managed objects.
Property Value

Choose how the value is set for the property:

  • Manually: The value is set by the user when creating or updating an identity.

    Select the Enumerate allowable values for this property checkbox to add enumerated values for the property. End users can select from these when setting the value for the property. Enumerated values aren’t applicable to Boolean and Object property types.

    When you create enumerated values for a property, their display labels are automatically added to your tenant’s translation and locale configuration files. If you later update these translation files, you must ensure that these auto-generated enum labels aren’t removed. Removing them will break the display of the enumerated values in the UI.

  • Script: The value is automatically set by a script when creating or updating an identity. If you select this option, you must provide the script that sets the value.

    The Return by Default checkbox controls whether a virtual property is included in query results when it isn’t explicitly requested. Select this option for most virtual properties and relationship-derived virtual properties (RDVPs), so their values are available in typical reads and searches. Leave unselected only when the data is large, internal-only, or when working with arrays of relationships that are subject to validation policies.

  • Relationship: Use this to make the property a virtual property whose value is derived from related objects, using one or more existing relationship properties. These are called RDVPs and are distinct from the relationship properties themselves, which you configure on the Relationships tab.

    • In the Source(s) section, click add Add Source to specify the relationship properties that the property value will be derived from. For any single RDVP, all sources must start on the same managed object type (the one that owns the property), and end on the same target managed object type. For example, Applications I Own (User → Application), then Members (Application → User). This example starts and ends with the User managed object type.

    • In the Referenced Object Properties section, select the properties on the related object to include in the value of this property. Select either:

      • Full Object. The RDVP stores each target as a full JSON object, with _id, _rev, and all other fields.

      • Select Properties The RDVP stores only the fields you select from each target object.

    • Select Flatten properties, if you want a simple, query-friendly value instead of full object references. For example, a simple array such as ["manager1@example.com", "manager2@example.com"] instead of an array of objects.

    • Select Return By Default to include the RDVP in query results when it isn’t explicitly requested.

    Learn more about RDVPs and relationships in Relationships.

Advanced options:

  • Select Default Value to provide a default value for the property.

  • Select Nullable to allow a null value. For example, if you have a property for telephoneNumber, you can set it to null for users who don’t have a telephone number.

Properties (Object properties only)

Define the array of properties for the object property.

This allows you to group related fields (for example, a postalAddress object that contains street, city, postalCode) instead of flattening them all as top-level properties.

Display

Choose how the property is displayed in the admin console and the end user’s journey and account pages.

Validation

Advanced Identity Cloud provides a policy service that lets you apply specific validation requirements to managed object types. Learn more in Use policies to validate data and Policy reference.

Privacy & Encryption

Some managed object types contain data that you want to secure, such as credit card numbers and passwords.

Choose how to secure the property to protect sensitive data:

  • Select Private to prevent the property value being accessed over REST.

  • Select Encode to protect the property value with either reversible encryption or non-reversible salted hashing.

Learn more about securing identity data.

Access user identity custom properties in scripts

Legacy decision node scripts remain supported, but new development should use next-generation scripting. To access the latest bindings (for example, nodeState, httpClient, and updated utils), migrate your Scripted Decision node to a next-generation script. Learn more in Migrate decision node scripts to next-generation scripts.

To access a user identity custom property called custom_department in a Scripted Decision node:

  1. Configure the Identity Store Decision node:

    1. Make sure the Identity Store Decision node is placed before the Scripted Decision node in your journey.

    2. Select the Username as Universal Identifier checkbox in the Identity Store Decision node’s configuration. This ensures that the user’s UUID is stored in the username node state variable.

  2. Edit the script used by the Scripted Decision node:

    • To access the custom property using access management script functions, use the property fr-idm-custom-attrs. This contains a JSON object of all custom properties, so it needs to be parsed to access individual properties.

      var uuid = nodeState.get('username');
var customAttrsRaw = idRepository.getIdentity(uuid).getAttributeValues('fr-idm-custom-attrs')[0];
var customAttrs = JSON.parse(customAttrsRaw);
var department = customAttrs.custom_department;

      Learn more in Access profile data.

    • To access the custom property using identity management script functions, use the specific property name custom_department.

      var uuid = nodeState.get('username');
var userAttrs = openidm.read('managed/alpha_user/' + uuid, null, ['custom_department']);
var department = userAttrs.custom_department;

      Learn more in Access IDM scripting functions.

1. Additional indexed string attributes are enabled by default in tenants created on or after November 12, 2024. Learn how to enable them in tenants created before that date in Additional indexed string attributes.