Skip to main content
Version: On prem: 15.0.0

Omada Identity Governance capabilities

The Omada Identity Governance feature comes with the following capabilities.

Create a new personal user

By default, Omada Identity manages users and accounts for all employees and contractors. If there is a need for an identity with a different "identity category", the account can be requested in an access request for the "Omada Identity Account" resource or any of the Omada Identity User Group resources, as the system is configured to "auto create accounts".

Create a new admin user

  1. If it doesn't already exist, create an administrator account type
  2. If it doesn't already exist, create an account resource for the Omada Identity system for the Administrator account type. Provide a meaningful account name format, for example ADM_[IDENTITYID].
  3. Request access to the new account resource and await the completion of the provisioning.
note

Users of non-personal account types are not directly linked to the identity through the IDENTITYREF property.

Maintain user properties

You can provision additional property values to the user object. To do so, follow these steps:

  1. Add new attributes to the attribute set Omada Identity Account Attributes.

  2. Recalculate an identity with an account and validate that the attribute values are populated appropriately.

  3. Extend the task mapping to include the additional properties.

    example

    Mapping User property to the new RoPE attribute value.

To create an user group go to the user groups, in Setup, and click New. Then, enter new user group details. The user group resource is created with the name corresponding to the user group and the Logical key configured for the import to match the actual user group with the user group resource.

Managing user group lifecycle

To ensure smooth management of user groups and associated resources, it's essential to understand the lifecycle process, which involves creating, renaming, and deleting user groups while maintaining consistency and preventing potential issues:

  • When a new user group is created, a corresponding resource is automatically created for it, and the user group's reference property is assigned to the new user group.

  • If you rename a user group, the management resource isn't renamed automatically. The functionality depends on the reference between the user group and the resource, ensuring the link between them functions properly. For naming consistency, you can rename the resource accordingly. Similarly, if you rename a management resource, consider renaming the user group for consistency.

    note

    The renaming of management resource is updated when you run an import. It is part of the Warehouse to portal mapping feature in import. For more information, refer to the ODW to ES Portal Synchronization section in the Import and onboarding guide.

  • When you delete a user group, the corresponding resources and resource assignments aren't deleted automatically. Remember to delete the related management resources and resource assignments as well. Ensure you delete the resource and resource assignments before deleting the user group to avoid deprovisioning issues.

Request and approval of user group membership

Similarly to other resources, you can configure the visibility of the user group resources using the Prevent self-service property on Resource, Resource type, or System.

example

On a resource type in the Other settings

To configure the approval of the user group resource assignment, go to Omada Identity resource folder. For system security reasons it is crucial to have the approval level configured.

Monitor compliance status of Omada Identity and implement corrective actions

  1. To monitor compliance, go to the Compliance workbench.

  2. Click the Filter button for the Omada Identity system and include account assignments.

  3. For any orphaned or not approved assignments, implement one of the corrective actions:

    • Request access to the account or permission resource.
    • Manually remove the account or the user group membership.
    • Enable the Exclusively managed setting on the resource type for automated deprovisioning.

Initiate import and validate in the Compliance workbench corrective actions and compliance level.