4.3.3. Additional user attributes¶
Since version 3.6 privacyIDEA allows to manage additional internal attributes for users read from resolvers. These additional attributes are stored and managed within privacyIDEA. Administrators can manage attributes of users (see policies set_custom_user_attributes and delete_custom_user_attributes) and users can manage their attributes themselves (see policies set_custom_user_attributes and delete_custom_user_attributes).
The additional attributes are added to the user object, whenever a user is used. The attributes are also added in the response of an authentication request. Thus these attributes could be used to pass additional attributes via the RADIUS protocol.
The user attributes can also be used as additional conditions in policies (see Extended Policy Conditions) in the userinfo section. This way the additional attributes can be used to group users together within privacyIDEA and assign distinct policies to these groups, without the need to rely on information from the user store.
The policy condition uses attributes (userinfo) from the user store and additional user attributes managed in privacyIDEA at the same time.
If the user already has a certain key in the userinfo that is fetched from the resolver, the additional user attributes can also be used to overwrite the value from the user store!