Self-management

The Self-management extension is part of the Omada Identity Self-management feature in the Packaged Solution.

You can use the self-management feature for managing access to itself. It contains a process from which the end-users can request Omada Identity roles.

info

It is possible to disable the self-management extension, if you don't want to have ownerships calculated. In that case, you need to comment out the self-management extension in the RoPE configuration file, and you can then manage ownerships manually through the Effective owner/manager fields. It is possible to combine the self-management with manually maintaining owners, and in that case you need to use the Manual owners concept.

There are a number of roles that you can manage in Omada Identity:

• Resource ownership
• Resource folder ownership
• Org. unit management
• Identity management
• System ownership
• Cost center ownership
• Company ownership
• User group membership
• Service Desk agent role
• Classification tag ownership
• Employment ownership

You can extend the Self-management feature to apply to other data object types. There are both an effective manager/owner field and an explicit owner field on the object types.

The value in the explicit owner field is, by default, maintained by the ODW component. It is used by the RoPE extension to calculate a self-management resource assignment and, in turn, the population of the effective manager/owner.

The RoPE Self-management extension also allows for two self-management resources to control the membership of the same user group. For example, the Org. Unit Manager resource and the Identity Manager resource can both manage the Managers user group. The group membership is granted with the first assignment to one of the resources. The group membership is revoked when the last assignment to the resources is revoked.

tip

The Self-management concept with the use of assignments to self-management resources is based on the OUID, SYSTEMID, and other ID string values. As a result, if, for example, an ID string value is updated on an Org. unit or a System, the existing self-management resource assignment with reference to its string attribute value will point to a non-existing object. It has the following consequences:

1. The object owner is not updated, and the existing one remains until a new is appointed.

2. Should a new object be created having the previous ID, the current owner will also become an owner of the new object.

Such a situation has to be remedied manually with the following workaround:

Identify the resource assignment data objects to self-management resources where the managed object identifier, such as the OUID or SYSTEMID, has become obsolete. Expire those invalid resource assignments and request and approve the equivalent assignments for the correct combinations of identity, resource, and managed object id.

Configuration and example

This extension supports the following configuration settings:

• CalculateExplicitOwners - specifi whether the explicit owners stated on a managed object should be included in the computation of the effective owners of the managed object.

  • The explicit owners are always stored in the ExplicitOwner property.
  • The Effective owners are either stored in the Ownerref or Manager property.

• IndividualAssignments - this option enables fine-grained access reviews of assignments for the "Omada Identity management" resources in the Omada Identity portal.

  • Consider an identity that has made multiple access requests, for exaple, for the Omada Identity management "Group Member" resource to become the member of different user groups in Omada Identity. Using this option, RoPE computes a CRA for the "Group Member" resource for each time it has been requested. Each of the CRAs can be presented in an access review and thus the option allows for approving some group memberships while rejecting others.

• Recompute - specify whether owners should be updated for data objects in each calculation.

  • If True, RoPE will update ownerships even if no change in resource assignments have been made. Setting this to True may impact performance.
  • Default value: False

• UpdateDataObjectsInNewThread - specify whether data object updates should be executed in a separate thread.

  • This is to increase throughput of RoPE. This means that the updates may still be in progress after the cycle run has completed.
  • Default value: True

<add type="Omada.RoPE.Controller.OISX.Extensions.SelfManagementExtension, Omada.RoPE.Controller.OISX" >
    <settings>
        <add key="CalculateExplicitOwners" value="true"/>
        <add key="IndividualAssignments" value="true"/>
        <add key="Recompute" value="false"/>
        <add key="UpdateDataObjectsInNewThread" value="true"/>
    </settings>
</add>

important

If you add a custom self-management configuration, it is important that the attribute containing the reference to the managed object has the field Reference value format set to contain only the idProperty from the Self-management XML configuration: