Supported User Attributes

You can choose IAM Identity Center or an external identity provider as your identity source. The following table lists the user attributes that support ABAC for the two identity sources. These user attributes can be selected during the configuration of access control attributes. These attribute values include basic information, contact information, work-related information, and address information of users. You can select these user attributes and assign attribute keys to them for access control decisions when performing ABAC.

If you use an external identity provider as the identity source, you can configure user attributes for performing ABAC in both IAM Identity Center and the external identity provider. If the ABAC attribute keys configured in IAM Identity Center are the same as those configured in the external identity provider, the former is preferentially used for access control decisions.

**Table 1** Supported user attributes
Identity Source	User Attribute
IAM Identity Center	${user:email}
	${user:familyName}
	${user:givenName}
	${user:middleName}
	${user:name}
	${user:displayName}
External identity provider	${path:userName}
	${path:name.familyName}
	${path:name.givenName}
	${path:displayName}
	${path:nickName}
	${path:emails[primary eq true].value}
	${path:addresses[type eq "work"].streetAddress}
	${path:addresses[type eq "work"].locality}
	${path:addresses[type eq "work"].region}
	${path:addresses[type eq "work"].postalCode}
	${path:addresses[type eq "work"].country}
	${path:addresses[type eq "work"].formatted}
	${path:phoneNumbers[type eq "work"].value}
	${path:userType}
	${path:title}
	${path:locale}
	${path:timezone}
	${path:enterprise.employeeNumber}
	${path:enterprise.costCenter}
	${path:enterprise.organization}
	${path:enterprise.division}
	${path:enterprise.department}
	${path:enterprise.manager.value}