There are many ways that a user attribute can be populated by the values that are ultimately passed to applications during the provisioning process.
The way these values are populated depends on both the attribute type and where the value was entered in the default hierarchy:
Attribute types include:
- Character strings
- "Multiselect" arrays, enabling the selection of multiple values for a single attribute
- Drop-down lists, enabling the selection of a single value for a single attribute
- True-false booleans
- Encrypted passwords
The default hierarchy includes:
Default: attribute values entered on the Parameters tab in the app editor.
Mapped: attribute values generated by provisioning Rules (or mappings).
Manual: user-specific attribute values entered manually on the user "login record" for an app.
The following table shows how the attribute type and the presence of values at each of these levels of the default hierarchy determine the attributes that are passed to the app. Default values represent a baseline that is sometimes overridden by mapped values and sometimes not. Manually-entered values always override default and mapped values.
Note that Entitlements refer to attributes whose values are usually sync'ed to OneLogin from the app (like Google Groups or Office 365 Licenses) by the Refresh Entitlements process, thereby making them available to assign to users during provisioning.
|Attribute type||Sample values||Values if Default + Mapping applied||Values if Default + Mapping + Manual applied|
|Mapping (Bar)||Manual (Baz)|
|Default + Mapping (1,2,3,4)||Manual (5)|
|List, entitlement||Default: 1
|Mapping (2)||Manual (3)|
|List, non-entitlement||Default: 1
|Default (1)*||Manual (3)|
|Boolean (true-false), entitlement||Default: F
|Mapping (T)**||Manual (F)|
|Boolean (true-false), non-entitlement||Default: F
|Default (F)*||Manual (T)|
|Password (encrypted string)||Default: pa$wd
|Default: pa$wd*||Manual (pa$$word)|
* Non-entitlement list attributes, non-entitlement boolean attributes, and passwords are not available for mapping.
**Boolean entitlement mappings currently override the default only if the default is False and the Mapping is True. In a future release, this will be changed to take the mapped value regardless of default value.
Manually-entered attributes always win
It is important to understand that any manually-entered attribute always overrides values populated by defaults and mappings. In essence, manual overrides "lock" the attribute value; once you have manually overridden a default or mapped value, you cannot "unlock" the attribute to enable it to be populated by a default or mapping unless you reset the user, which disables all manually-entered user attributes on the login record and goes back to using the defaults and mappings.
Resetting manually-entered attributes
To reset all manually-entered user values for a user's app login record:
Go to the user's app login record.
You can either:
Go to Users > All Users and select the user. Then go to the Applications tab and select the application (click the row) to display the Edit Application Login For Username dialog (the "user login record").
Go to Apps > Company Apps and select the app. Then go the app's Users tab and select the user (click the user row) to display the Edit Application Login For Username dialog.
On the Edit Application Login For Username dialog, scroll down to the Provisioning Status section and click Reset Login.
This unlinks the OneLogin user record from their app account and clears all values, enabling defaults and mappings to populate those values and initiating a reprovisioning event.
You can also reset multiple user login records in bulk by selecting Reset from the Apply to All drop-down menu on the Users tab in the app editor.
Note. In an upcoming release, we will provide an updated user login interface that lets you "unlock" or reset any manually-entered values one at a time, making them free to be populated by defaults and mappings.
Note. Before February 8, 2017, a manual override of one field on a user login record sometimes locked the entire user login record, making it impossible to use defaults or mappings to update other fields, even though they had not been manually overridden. Now manual overrides only lock the fields that were manually entered.