54 docs tagged with "RoPE"

RoPE distinguishes between Calculated Account Resource Assignments (CARA) and Calculated Permission Resource Assignments (CPRA).

Configuration and example

This extension adds additional resource assignments for resources that are referred by the contexts in which an identity is. You can use the concept together with the assignment policies or as an alternative to the assignment policies.

Calculated resource assignments, both CARAs and CPRAs, can have attribute values. The use of attributes typically falls in one of the following categories:

Assignment reasons and states

The extension creates CRAs with the reason Review OK if the identity has CRAs that have been approved in a verdict survey.

The Attribute level reconciliation concept allows you to configure RoPE to compare the actual state attribute values of accounts and resource assignments with the desired state attribute values.

The extension resolves and assigns the value(s) for assignment attributes based on configured data object reference paths and dynamic expressions. You can configure it with a number of attributes and corresponding reference paths or dynamic expressions.

A calculated account resource assignment (CARA) and calculated permission resource assignment (CPRA) can have attribute values.

The extension disables all calculated assignments for an identity if the identity has no primary context. More specifically, if the identity has a primary context type specified, but is not a member of the context, all assignments are disabled.

The CalculationAffectingEventsResolver extension is responsible for queuing identities for calculation when an event occurs in the Omada Identity as described in the Event-based queuing section.

RoPE calculates a compliance status for all calculated assignments. The compliance status indicates if an assignment is under control, meaning that it has been either explicitly or implicitly approved. The

You can use the ComplianceStatusCalculator extension to calculate a Compliance status for each CRA. The compliance status is assigned to the attribute called ComplianceStatus.

You can apply the ConditionalInheritanceEvaluator extension to implement Conditional inheritance in, for example, SAP scenarios. The goal of conditional inheritance is that a child resource is only assigned to an identity if it has the same attribute as the identity (either inherited from the identity object or one of its context assignments).

You can configure Omada Identity RoPE:

The extension is part of the Separation of Duties feature in Omada Identity.

This extension computes the default account names for an identity. An identity can have a default account name per account resource defined in Omada Identity. A default account name is calculated using the account name format specified in the resource type.

The extension is part of the Delegate access feature in Omada Identity.

The purpose of the Differentiator RoPE extension is to define the differentiator concept for resource assignments to avoid its automatic merging to the same resource based on the attributes.

RoPE only allows an identity to have a single CRA per system/resource/account name combination. Therefore, if an identity has two assignments for the same resource, RoPE merges them into one. An identity can, for example, have two assignments if there are two assignment policies that assign the same resource to it.

Some basic configurations are set in the in EngineConfiguration.Config file located in C

The purpose of this extension is to prevent resource assignments to Exchange Mailbox resources from being merged into one resource assignment.

A fundamental idea in Omada Identity, is that it manages access rights, also deprovisioning those access rights that it believes should no longer exist. Omada Identity deprovisions a managed access right when it no longer has a desired state.

RoPE includes an extension model that allows you to modify the behavior of RoPE. Much of the core functionality of RoPE uses the extension model and is implemented as extensions.

The Grace days property specifies the number of grace days used when creating new transfer context assignments for the old context, using the Identity transfer code method. This will create an identity transfer object, which can be used for reporting, auditing, and retrieving old managers of an identity in the transfer identity assignments survey.

Processing an identity

The extension calculates the content of the INITIALPASSWORD attribute on the account assignment if the attribute is present on the resource type, and only if it is a new account.

Assigned resource overview

The Management Agent applies a data model in the connector space that has three categories of object types:

The extension is part of the Manual provisioning feature in Omada Identity.

Omada Identity includes a simulation feature for making policy checks from an access request.

If RoPE calculates a CRA and the current time is outside the validity period of the CRA, that is, before the validity period starts or after the validity period ends, the CRA is normally disregarded, so that it is not included in the calculation result.

From an Omada Identity perspective, to provision something means to create it in a target system.

When a resource assignment is to be provisioned or deprovisioned, RoPE creates a provisioning task for the provisioning mechanism selected for the system which the resource belongs to.

The purpose of the Provisioning Service extension is to exclude certain identities from being provisioned by OPS.

When RoPE processes an identity, it computes a provisioning status for each of the identity’s account- and permission assignments.

The purpose of this extension is to calculate a Provisioning status for each CRA. The provisioning status is assigned to the attribute called ProvisioningStatus.

Queuing types

The extension resolves and assigns the value(s) for assignment attributes based on the configured data object reference paths. You can configure it with a number of attributes and corresponding reference aths.

The resource-driven attributes concept allows for mapping and assigning attribute values to a CRA by retrieving the values from the resource of another CRA for the same identity.

This extension calculates the Risk Score and Risk Level for:

Read how the Role and Policy Engine (RoPE) works and how you can configure this engine to suit your organization’s needs.

Some settings for RoPE are set in Enterprise Server and they are described in the table that follows. You can change the settings in the Omada Identity Portal in Setup -> Administration -> More… -> Customer settings.

This extension is used for the external SAP GRC SoD check within the Policy & Risk check feature.

The Self-management extension is part of the Omada Identity Self-management feature in the Packaged Solution.

Prerequisites

Evaluates event definitions that are defined in the Omada Identity portal for resource types.

System data objects

You can specify a time zone for an identity in the Timezone property of the Users view. If you do not specify a time zone, the system uses the default time zone specified in the customer setting Default time zone (in the Customer settings view). The default time zone is 105.

In Omada Identity, all accounts should be associated with an identity.

The extension removes certain attributes from accounts for the UNRESOLVED identity.

RoPE calculates a validity period and disabled status for all CRAs.

The extension resolves the validity of an object that participates in a calculation of an assignment for an identity. The validity is resolved for objects of these types:

The purpose of the Violation Status Calculator extension is to calculate the violation status for each CRA. The violation status is assigned to the ViolationStatus attribute.