Skip to main content

Role and Policy Engine configuration

info

You must configure Omada Identity RoPE to copy resource-driven attributes to Exchange User Mailbox Calculated Resource Assignments (CRA). You must also configure Omada Identity RoPE to call an Exchange extension that differentiates CRAs to other users' mailboxes.

For more information, refer to Role and Policy Engine section of the documentation.

To configure RoPE:

  1. First, add two extensions to the EngineConfiguration.config file located in C:\Program Files\Omada Identity Suite\Role and Policy Engine\Service\ConfigFiles.
  2. If the lines are already there, you should uncomment the lines and restart the Role and Policy Engine service.
<add type="Omada.RoPE.Controller.OISX.Extensions.ExchangeIntegrationExtension, Omada.RoPE.Controller.OISX" />
      <add type="Omada.RoPE.Controller.OISX.Extensions.AttributeValueResolver, Omada.RoPE.Controller.OISX">
        <settings>
          <add key="setting1" name="Exchange User Mailbox:ISSUEWARNINGQUOTA" extraInfo="Type:ReferencePath" value="/#ASSIGNMENTS_PER_RESOURCETYPE/Exchange Mailbox Option:[ISSUEWARNINGQUOTA]" />
          <add key="setting2" name="Exchange User Mailbox:PROHIBITSENDQUOTA" extraInfo="Type:ReferencePath" value="/#ASSIGNMENTS_PER_RESOURCETYPE/Exchange Mailbox Option:[PROHIBITSENDQUOTA]" />
          <add key="setting3" name="Exchange User Mailbox:PROHIBITSENDRECEIVEQUOTA" extraInfo="Type:ReferencePath" value="/#ASSIGNMENTS_PER_RESOURCETYPE/Exchange Mailbox Option:[PROHIBITSENDRECEIVEQUOTA]" />
          <add key="setting4" name="Exchange User Mailbox:PRIMARY_EMAIL" extraInfo="Type:ReferencePath" value="/#IDENTITY:[EMAIL]" />
          <add key="setting5" name="Exchange User Mailbox:WEBMAIL" extraInfo="Type:ReferencePath" value="/#ASSIGNMENTS_PER_RESOURCETYPE/Exchange Mailbox Option:[WEBMAIL]" />
          <add key="setting6" name="Exchange User Mailbox:HIDEINADDRESSLIST" extraInfo="Type:ReferencePath" value="/#ASSIGNMENTS_PER_RESOURCETYPE/Exchange Mailbox Option:[HIDEINADDRESSLIST]" />
          <add key="setting7" name="Exchange User Mailbox:MAILBOXLOCATION" extraInfo="Type:ReferencePath" value="/#ASSIGNMENTS_PER_RESOURCETYPE/Exchange Mailbox Option:[MAILBOXLOCATION]" />
        </settings>
      </add>

RoPE Exchange extension

To utilize the Exchange Online connectivity, you must use a standard Role and Policy Engine Extension (ExchangeIntegrationExtension) provided by Omada. The extension accepts systems onboarded with both the Microsoft Azure Active Directory connector and Microsoft Entra ID connector (for Entra ID, you must use either the Omada Identity Cloud October 2024 update or Omada Identity 15.0.2).

The extension serves two purposes as described below.

Mailbox references

Prevent resource assignments to Exchange Mailbox resources from being merged into one resource assignment.

Enable and disable User Mailbox resource assignments based in Mailbox Location

The RoPE concept and calculation relies on the Exchange system trusting two account systems - Active Directory and Microsoft Entra ID. Thereby RoPE calculates two exchange mailboxes, one for each account (should the user have an account in both systems). As a starting point, this would lead to an attempt to provision a mailbox in both places and it would also lead to a re-provisioning of a mailbox when a mailbox is being migrated, for example, from local to cloud (since RoPE simply loses the actual state of that local mailbox).

The solution is to let the RoPE ExchangeIntegrationExtension enable and disable the mailbox assignment based on where the mailbox is actually placed. Initially, we provision the mailbox as stated in the MAILBOXLOCATION attribute. From that point we don't try to reconcile the mailbox location, rather disable it, and we enable the assignment with an actual state.

The extension:

  • Works for any number of exchange systems should there ever be more than one.
  • Works for any of the built-in exchange mailbox resource types, should an identity have two or more mailboxes of different resource type.
  • Depends on there are exactly two trusted account systems and no account assignment in the Exchange system.
  • Depends on the account systems trusted by Exchange are configured with the standard Microsoft Active Directory and Microsoft Entra ID collectors.