Resource-driven attributes
The resource-driven attributes concept allows for mapping and assigning attribute values to a CRA by retrieving the values from the resource of another CRA for the same identity.
The concept is utilized in Omada Identity for the built-in MS Exchange integration feature. When provisioning an Exchange mailbox, a number of quota settings can be specified using fields of the account in Active Directory, for example:
- Issue warning quota (MB)
- Prohibit send quota (MB)
- Prohibit send receive quota (MB)
When Omada Identity provisions an Exchange mailbox, the values for the fields above come from a resource of the type Exchange Mailbox Option, for example, "Regular mailbox" or "Large mailbox", which is assigned to the identity and which specifies concrete values for the fields.
An identity can get an assignment for a resource, for example "Large mailbox", via. a policy or an access request. The values for the specified quota fields are then transferred to the identity's assignment for the Exchange User Mailbox resource due to a RoPE extension.
This concept is what is referred to as resource-driven attributes.
Specifying attribute values on Options resources
The resource-driven attributes concept involves having a number of Options resources that represent values to use as attribute values on a CRA for another resource.
The values can come from either regular property values or from the special Attributes property that is present on the Resource data object type. With the Attributes property (see below), you can avoid the need of the Resource data object type getting bloated with a number of properties that only apply to a few resources.
If a resource refers to an attribute and specifies a value for it in the Attributes property, RoPE regards the attribute's underlying property as any other property that is bound to the Resource data object type.
When evaluating resource driven attributes (RDA), RoPE searches for attribute values across all calculated assignments for the identity, for example:
- An identity has two accounts and one of the accounts has an assignment to a permission resource.
- As the RDA attribute is derived from the permission resource, both accounts will get the RDA value.
Resolving attribute values on-prem
The RoPE extension that assigns the attribute values is named ReferencePathAttributesValueResolver and is configured in the EngineConfiguration.config file. The default installation path to this file is C:\Program Files\Omada Identity Suite\Role and Policy Engine\Service\ConfigFiles.
Below you can see an example of how it is configured for the MS Exchange integration feature. The configuration for PROHIBITSENDQUOTA should be read as follows: “Find the value to assign by inspecting the other CRAs that the identity has for resources of the type Exchange Mailbox Option, then assign the value of the PROHIBITSENDQUOTA property/attribute on the resource.”
It should be noted that property/attribute values are retrieved from the assigned resource data object, and not from the CRA itself.
Priorities
The PrioritizationPolicyExtension must be run before the AttributeValueResolver extension (placed above up in the config file) because the PrioritizationPolicyExtension may disable assignments used in the resource-driven attribute concept in the AttributeValueResolver extension.
Because an identity can have multiple CRAs for the same Settings resource, which specify different values for the same property/attribute, you can add an attribute (to the resource's Attributes property) for specifying the priority of the resource, using the RDAPRIORITY property. You should specify a numbered value in this priority. RoPE uses the priority value to determine which Settings resource to obtain the property and/or attribute values from.
The priority is used in the following way:
- The assigned Settings resource with the highest
RDAPRIORITYis picked. - If two or more assigned Settings resources of equal priority are found, the one with a Direct reason is prioritized.