Skip to main content

Role and Policy Engine Configuration

The EngineConfiguration.config file (located by default in C:\Program Files\Omada Identity Suite\Role and Policy Engine\Service\ConfigFiles) for ROPE must be updated to resolve attribute values for SAP_VALIDFROM and SAP_VALIDTO by using the AttributeValueResolver extension:

<add type="Omada.RoPE.Controller.OISX.Extensions.AttributeValueResolver,
Omada.RoPE.Controller.OISX">
<settings>
<add key="SAP_ROLE_VALIDFROM" name="SAP Role:SAP_VALIDFROM"
extraInfo="Type:Expression" value="ROPE_ValidFrom.ToString(&quot;yyyyMMdd&quot;)" />
<add key="SAP_ROLE_VALIDTO" name="SAP Role:SAP_VALIDTO"
extraInfo="Type:Expression" value="ROPE_ValidTo.ToString(&quot;yyyyMMdd&quot;)" /> 
</settings>
</add>
note

It is likely that the extension is placed in the file and needs to be uncommented. But make sure that it is not already used somewhere else in the file. In this case add the two keys:

<add key="SAP_ROLE_VALIDFROM" name="SAP Role:SAP_VALIDFROM"
extraInfo="Type:Expression" value="ROPE_ValidFrom.ToString(&quot;yyyyMMdd&quot;)" /> 
<add key="SAP_ROLE_VALIDTO" name="SAP Role:SAP_VALIDTO"
extraInfo="Type:Expression" value="ROPE_ValidTo.ToString(&quot;yyyyMMdd&quot;)" />

inside the existing instance of the AttributeValueResolver extension.

If the AttributeValueResolver extension doesn't exist anywhere in the file add it anywhere inside the extensions node.

Management of ValidFrom and ValidTo properties

The ValidFrom and ValidTo properties are different field types in SAP. In SAP they are data only field, when in the they are date/time field. This means it is required to add timestamp in the Queries and mappings for the SAP collector.

Role and Policy Engine ValidFrom and ValidTo calculations

For the ValidFrom and ValidTo properties calculations Role and Policy Engine (RoPE) utilizes the time zone configured in the Identity account. If the time zone is not configured the Default time zone customer setting is used.

When the extendValidityPeriods setting, in the RoPE EngineConfiguration.config file, is set to true the ValidTo property is established for the Calculated Resource Assignment to end of business for the identity.

note

This behavior is valid for the assignments with the desired state.

title=&quot;&quot;EngineConfiguration.config file with the extendValidityPeriods set to true.&quot;

Onboarding SAP system with the exclusively managed disabled

With the exclusively managed disabled only the actual state of the assignment is available. You are required to change the queries and mappings for the ValidTo on the assignment to include the timestamp.

For the user being in the UTC+1 time zone a example timestamp can look like 21:00:00.000.

Since both timestamp and time zone are considered when calculating ValidTo property, including timestamp allows to expire assignment by the end of the day.