Role and Policy Engine Configuration

Management of ValidFrom and ValidTo properties

The ValidFrom and ValidTo properties are different field types in SAP. In SAP they are a data-only field, but in Omada Identity Cloud they are date/time. This means it is required to add a timestamp in the Queries and mappings for the SAP collector.

Role and Policy Engine ValidFrom and ValidTo calculations

For the ValidFrom and ValidTo properties calculations Role and Policy Engine (RoPE) utilizes the time zone configured in the Identity account. If the time zone is not configured the Default time zone customer setting is used.

When the extendValidityPeriods setting, in the RoPE EngineConfiguration.config file, is set to true the ValidTo property is established for the Calculated Resource Assignment to end of business for the identity.

note

This behavior is valid for the assignments with the desired state.

ValidFrom and ValidTo task mappings

Use the following expressions for timezone mappings for ValidFrom and ValidTo:

TimeZoneInfo.ConvertTime(ROPE_ValidFrom, TimeZoneInfo.FindSystemTimeZoneById("Central European Standard Time")).ToString("yyyyMMdd")

TimeZoneInfo.ConvertTime(ROPE_ValidTo, TimeZoneInfo.FindSystemTimeZoneById("Central European Standard Time")).ToString("yyyyMMdd")

Onboarding SAP system with the exclusively managed disabled

With the exclusively managed disabled only the actual state of the assignment is available. You are required to change the queries and mappings for the ValidTo on the assignment to include the timestamp.

For the user being in the UTC+1 time zone a example timestamp can look like 21:00:00.000.

Since both timestamp and time zone are considered when calculating ValidTo property, including timestamp allows to expire assignment by the end of the day.