Skip to main content
Version: On prem: 14.0.16

Pre-validity and post-validity

If RoPE calculates a CRA and the current time is outside the validity period of the CRA, that is, before the validity period starts or after the validity period ends, the CRA is normally disregarded, so that it is not included in the calculation result.

However, RoPE has a concept of Pre-validity and Post-validity. RoPE includes a CRA in the calculation result a number of days before it becomes valid and a number of days after it stops being valid, but it is marked as disabled.

This allows for provisioning account assignments before a user's start date, and mitigation of incorrect HR termination triggers. It also ensures that accounts are not deleted on the last working day of an identity.

If it is the identity itself that is either pre-valid or post-valid, RoPE will extend the validity period of Calculated Permission Resource Assignments (CPRA). In the extended period before and after the validity period, the identity is not marked as disabled. This is to prevent the permission assignments from being deprovisioned and to allow that permissions can get provisioned during the pre-validity period. This is safe to do since the accounts for which the permissions are granted will always be disabled.

The pre-validity period is by default three (3) days for all CRAs of all types. It can be configured in the customer settings, as shown below (path: Setup > Administration > More > Customer settings).

The post-validity is by default zero (0) days. It can be configured per resource type in the Edit Resource Type dialog, as shown below. If you do not enter any value in the field, it is interpreted as zero.

Pre-validity and Post-validity scenarios

The Pre- and post-validity section describes the possibility to extend validity periods for Account (CARA) and Permission assignments (CPRAs). Account assignments can be provisioned in a disabled state outside the validity period of the Identity and allows Permission assignments to be provisioned beyond the validity period of the Identity.

The above means that Accounts can be provisioned for a given identity a set number of days before this identity is enabled, as well as Permissions are not deprovisioned for a set number of days after the identity is disabled or locked.

The timeline below presents an example of the Pre-validity and Post-validity periods.

The pre-validity allows the AD Account assignment to be created before the actual date the Identity and Account become active. Within this pre-validity period the assignment becomes disabled and becomes active on the "Valid from" date. At the same time, Calculated Permission Assignment for the AD Group can be provisioned only after the Identity is enabled.

In the case of the post-validity, the AD Account validity is disabled at the same moment the Identity is disabled or locked. However, the CPRA for the AD Groups is not disabled, and this permission assignment is deprovisioned at the end of the post-validity period.