Resources

Here you will find different settings to define resource, resource types, and resource folders.

Add resource types

1. To add a new resource type, click New in the Resource types overview.
2. In the **New Resource **dialog box that opens, type a unique Name for the resource type.
3. From the drop-down menu, select a relevant Resource category to associate with the new resource type.
4. If you want to allow the assignments for the resources of the created type to have additional attributes, check the Allow attributes checkbox.
5. In the Attribute set field, click the lookup icon to open the Attribute set dialog. From this dialog box, choose an attribute set to associate with the new resource type.
6. The Business key field allows you to add a business key for the created resource type.
7. Optionally, in the New Resource dialog box, select the Allow child resources checkbox to allow resources that do not belong to the role resource category to be able to specify child resources.
8. Enable the Allow delegation setting to allow identities with this resource to delegate their access to another identity for a limited period of time, for example when the identity is on vacation or in the case of a leave of absence.

Add resource types: Fulfillment (general)

1. In the Provisioning attributes set field, click the lookup icon to select an attribute set that has provisioning relevance. The attributes are also presented to the sync engine as a bundle. If you do not select any attribute sets here, all assignment attributes are considered relevant to provisioning.

2. To enable provisioning updates in case of any discrepancies in the provisioning attributes in the Omada Identity Data Warehouse, select the checkbox Reconcile on attribute level. The checkbox is not selected by default.

3. In the Reconciliation attributes map field provide a mapping string used by RoPE when account assignment attributes or permission assignment attributes are loaded from the Data Warehouse. This mapping string maps ES/RoPE attribute names to Data Warehouse attribute names. If a resource type specifies an attribute string, RoPE only looks for the mapped attributes in the ODW. If a resource type does not specify an attribute string, RoPE assumes that all provisioning attributes are present in the ODW and have the same names as in Enterprise Server.

   The mapping string has the following format: [Attribute system name in ES/RoPE]=[Attribute name in Data Warehouse];.... It is case sensitive and cannot contain duplicate attribute names; neither ES/RoPE attribute names nor Data Warehouse attribute names, for example, FirstName=givenName;LastName=sn.

4. Select the Exclusively managed checkbox to make assignments for the resources be deprovisioned if they do not have a Desired state reason. The checkbox is not selected by default.

5. In the Post validity days field, type a number of days in which calculated assignments for resources of this type are included after the validity period ends.

Add resource types: Fulfillment (MIM)

info

This section is relevant only for systems configured for using MIM as fulfillment mechanism.

1. In the MIM MA CS resource object type field, type the name of a resource object to show calculated resources in the MA as objects of this type.
2. In the MIM MA CS assignment object type field, type the name of an assignment object type to show calculated accounts and calculated resource assignments in the MA as objects of this type.
3. Select the checkbox Make members/membership information available in the sync engine? to enable that the sync engine receives information about the accounts that are members of the resource (if the resource is a non-account) or the resources that the account is a member of (if the resource is an account).

Add resource types: other settings

1. The Allow delegation checkbox allows identities with assignments for resources of the created type to delegate them to someone else. The checkbox is not selected by default.
2. Thanks to the Allow child resources checkbox you can allow resources of the created type to have child resources. This is mainly intended for resources which represent enterprise roles or application roles. The checkbox is not selected by default.
3. In the Prevent self-service dropdown, select Yes if you do not want this resource type to be available for self-service access requests.
4. In the Policy and risk checks field, you can choose checks that should be executed for this resource type.

Editing resource types

You can also edit an existing resource type. In the Resource types dialog, select one of the existing resource types, and click Edit. This opens the Edit Resource type dialog box from which you can specify and edit the same settings that you can set when you add a new resource type.

Renaming resource types

If you wish to rename the resource types that are provided by default in the System onboarding process, it is recommended that you create a new resource type based on the default resource type, and make the desired changes to the copy.

The reason is that the resource type names are used in the system configuration. Thus, you would have to change the name in several places if you wanted to change one of the default resource types.

However, if you'd like to update the resource type name, perform the following steps:

• Prerequisites:

  • Stop the Role and Policy Engine (RoPE)
  • Stop the Enterprise Server (ES) timer service

• Update the ES configuration:

  • Update the resource type name in the list of resource types.

  • Open the list of systems (a warning will be displayed).

  • For each system where the resource type is used:

    • Click on the context menu on the right and select Edit (advanced).
    • In the Provisioning service configuration field, rename the resource type accordingly.
    • Click OK to close the system dialog.

  • Open the normal system dialog and validate the task mappings.

    • The name of the resource type in the data model can be updated but is not strictly necessary. If required, perform this step before editing the task mappings.

      Business key

      It is not recommended to update the Business key value of the resource type even if it matches the old resource type name.

  • Commit the OPS settings.

• Update the RoPE EngineConfiguration.config

  • Update the AttributeValueResolver extension:

    • Update Resource driven attributes (#ASSIGNMENTS_PER_RESOURCETYPE):
      • The name element contains the attribute name, for example, MBOXSIZE. It can be prepended with a resource type name, for example, AD Account:MBOXSIZE.
      • The first element after #ASSIGNMENTS_PER_RESOURCETYPE is a resource type name, it must be updated accordingly, for example, /#ASSIGNMENTS_PER_RESOURCETYPE/Mailbox size:[MBOXSIZE].
    • Update the MapAttributesFromActualDataExtension extension:
      • The ExtraInfo configuration element contains the display name of resource types, unless prepended with UID:. It must be updated accordingly.

• Service restart:

  • Start the timer service(s) and wait for 2 minutes for the resource type to be synchronized.
  • Start the RoPE service(s).

warning

The Resource type names support the characters from the [^A-Za-z0-9_-!@#$%^&*()] range including space.

Setting	Description
Name	Type a unique name for the new resource.
Resource category	Select a relevant resource category to associate with the new resource type.
Allow attributes	Enable this setting to allow assignments for resources of this type to have attributes.
Attribute set	Choose an attribute set of attributes that are allowed on assignments for resources of this type. The attributes are displayed in the access request when a user picks a resource of the resource type. You can modify the specific display behavior on the attribute type object. The assignments calculated by RoPE holds values for the attributes. By default, the attribute values are considered relevant for provisioning. If you need to, you can change this by using the Provisioning attribute set property.
Business key	Add a business key for the created resource type
Provisioning attribute set	Choose an attribute set to use for provisioning. Attributes that have fulfillment relevance. If you do not specify a provisioning attribute set, then all assignment attributes are considered provisioning relevant. The attributes in the provisioning attribute set must be a subset of the attributes in the general attribute set.
Reconcile on attribute level	Enable this setting if discrepancies on provisioning attributes in the ODW should result in provisioning updates.
Reconciliation attributes map	Type a mapping string to use for reconciliation. The mapping string is used by RoPE when loading account- or permission assignment attributes from Omada Identity Data Warehouse. The mapping string maps ES/RoPE attribute names to Data Warehouse attribute names. If a resource type specifies an attribute string, then RoPE only looks for the mapped attributes in Omada Identity Data Warehouse. If a resource type does not specify anything, RoPE assumes that all provisioning attributes are present in Omada Identity Data Warehouse (with the same names as in the Enterprise server). The mapping string has the following format: [Attribute system name in ES/RoPE]=[Attribute name in Data Warehouse];... The mapping string must not contain duplicate attribute names. Neither ES/RoPE attribute names nor Data Warehouse attribute names. Note that the mapping string is not case-sensitive. Example of mapping string: FirstName=fn;LastName=givenname
Exclusively managed	Enable this setting if calculated assignments for resources of this type should be deprovisioned if they do not have a 'desired state' reason. Omada recommends that you enable this setting, except during initial implementation or onboarding of a system.
Post validity (days)	Calculated assignments for resources of this type are kept for this number of days after the validity period ends. A "post-valid" assignment is always marked as disabled by Omada Identity which leads to inactivation or deletion in the target system. For account resources, it can especially be a good idea to use post validity to delay that an account is deleted in the target system when an employee is offboarded.
Always provision changes	Should every single change of provisioning attributes cause provisioning updates? If enabled, settings Reconcile on attribute level and Reconciliation attributes map are ignored.
MIM MA CS resource object type	Expose resources in the MIM MA connector space as objects of this type. Only relevant for systems configured for using MIM as a fulfillment mechanism.
MIM MA CS assignment object type	Expose calculated account/permission resource assignments in the MIM MA connector space as objects of this type. Only relevant for systems configured for using MIM as a fulfillment mechanism.
Make members/ membership information available in the sync engine	If the resource category is Permission, enable showing the accounts that are members of the resource in the MIM MA connector space. If the resource category is Account, enable showing the resources that the account is member of in the MIM MA connector space.
Allow child resources	Enable this setting to allow resources that do not belong to the Role resource to be able to specify child resources. For the Role resource, this checkbox is selected by default and is mandatory.
Allow delegation	Enable this setting to allow identities with this resource type to delegate their access to another identity for a limited period of time, for example in case of vacation or a leave of absence.
Prevent self-service	Select Yes if you do not want this resource type to be available for self-service access requests
Policy and risk checks	Select the policy and risk checks that should be executed for the resource type. If a check is not selectable, it is used for all resources.

Add new resource folders (optional)

1. To add a new resource folder, click New in the Resource folders overview.

2. In the New Resource folder dialog box that opens, type a unique Name for the resource type.

3. Type a unique FolderID for the resource folder. You must use capital letters.

4. The Effective owner field is read-only. This property is populated with the effective owner by Role and Policy Engine based on the users and user groups added to the Manual owner field.

5. Optionally, in the Manual owners field, click the lookup icon to select an owner of the resource folder and its resources.

6. Optionally, in the Approval field, click the lookup icon to select the level(s) at which the approval should be set, for example, System owner or Context owner. You can select one or more levels that can approve.

7. Optionally, in the Provisioner field, click the lookup icon to see a list of identities and, from there, choose an identity to be the provisioner. You can only choose one identity to be the provisioner for each resource folder.

8. Optionally, in the Account types field, click the lookup icon to select one or more account types for which the resources in the folder are relevant. Note that this setting may be overridden at the individual resource level. Click OK to save the new resource folder and close the dialog box.

9. Optionally, in the Classifications field, click the lookup icon to see a list of classification tags. Here, you can select a classification for the created resource folder.

Setting	Description
Name	Type a unique name for the resource folder.
FolderID	Type a unique FolderID for the resource folder. You can only use capital letters.
Effective owner	Filled by RoPE.
Manual Owners	Select an owner of the resource folder and its resources. This is an optional setting.
Approval	Select the level at which to set the approval, for example at System Owner or context owner level. You can select one or more levels Optionally.
Provisioner	Select an identity from the list of identities to become the provisioner. You can only select one identity to be the provisioner for each resource folder.
Account types	Select one or more account types for which the resources in the folder are relevant. This setting may be overridden on the individual resource.
Classifications	Here, you can select a classification tag for the created resource folder.
Policy and risk checks	Select the policy and risk checks that should be executed for the resource type. If a check is not selectable, then it is used for all resources.

Add new resource: general settings

1. To add a new resource type, click New in the Resources overview. In the New Resource dialog that opens, type a unique ResourceID for the resource type. You can only use capital letters.
2. Type a unique Name for the resource.
3. Optionally, type a Description for the resource.
4. In the Resource type field, click the lookup icon to select a resource type to associate with the resource. You can only select one resource type.
5. In the System field, click the lookup icon to open the System dialog. Here, you can select a system to associate with the resource. You can only select one system.
6. In the Resource folder field, click the lookup icon to select a resource folder to associate with the resource. You can only select one resource folder.
7. The Effective owner field is read-only. This property is populated with the effective owner by Role and Policy Engine based on the users and user groups added to the Manual owner field.
8. In the Manual owners field, click the lookup icon to select one or more owners of the resource.
9. The Business key field allows you to add a business key for the created resource.
10. Optionally, select one or more of the available checkboxes to specify a Classification for the resource. You can choose between Business Critical, System administration, and Privileged access.

Add new resource: Fulfillment

1. Optionally, in the Provisioning depends on the field, click the lookup icon to select a different resource in order to delay the provisioning process for the new resource until that specific resource has been provisioned.
2. To enable skipping of provisioning of assignments for this resource, select the Skip Provisioning checkbox. This setting is not enabled by default.

Add new resource: Status and validity

1. In the Resource status menu, choose a status for the resource if this is relevant for you. You can choose: Inactive, Active, Obsolete, Disabled.
2. In the fields Valid from and Valid to, select a relevant period of time for the resource to be valid if you want to limit the time when the resource is available.

Add new resource: Advanced

1. In the Prevent self-service dropdown select Yes if you do not want this resource to be available for self-service access requests.
2. In the Account types field choose one or more account types for which the resource should be available. If you do not specify anything, account types are inherited from the resource folder.
3. In the Business processes use the lookup icon to select business processes that the resource is used in. The information is used for defining Segregation of Duties constraints on the business process level.
4. The Risk score and Risk level field provide information about the risk a given resource pose. The risk score of a permission resource is calculated as: RiskScore(permission) = RiskScore(permission's system) + sum(max(RiskScore(permission's tags per category))). The risk score of a "role" resource is calculated as: RiskScore(role) = max(RiskScore(role's children))). The risk level is derived from the risk score.
5. In the Policy and risk checks field, you can choose checks that should be executed for this resource.

Setting	Description
ResourceID	Type a unique resource ID for the resource.Do not use commas in the Resource ID. If the resource ID contains a comma, RoPE will encounter a calculation failure.
Name	Type a unique name for the resource.
Description	Type an optional description for the resource.
Resource category	Choose a relevant category to which the resource should belong. You can choose: Role Permission Account Software
Resource type	Select a resource type to associate with the resource. You can only select one resource.
System	Select a system to associate with the resource. You can only select one system.
Child resources	Choose one or more resources to add as a child resource to the resource.
Resource folder	Select a resource folder to associate with the resource. You can only select one resource folder.
Effective owner	Filled by RoPE.
Manual Owners	Select one or more resource owner(s).
Business key	Add a business key for the created resource type
Classifications	Select one or more checkboxes to provide a classification for the resource.The available classifications are: Business critical System administration Privileged access
Provisioning depends on	Select another resource that must be provisioned before this one.
Skip provisioning	Select the checkbox to skip provisioning of assignments for this resource. The checkbox is not selected by default.
Resource status	Choose a status for the resource Optionally. You can choose: Inactive Active Obsolete Disabled
Valid from	Type a date to specify a period of time from which the resource is valid.
Valid to	Type a date to specify a period of time which the resource is valid.
Prevent self-service	Choose Yes if you do not want the resource to be available for self-service access requests. Choose No if you want the resource to be available for self-service access requests.
Account types	Choose one or more account types for which the resource is available. If you do not specify anything, the account type(s) are inherited from the resource folder.
Business processes	Select one or more business processes to associate with the resource.
Risk score	The risk score of a permission resource is calculated as: RiskScore(permission) = RiskScore(permission's system) + sum(max(RiskScore(permission's tags per category))). The risk score of a "role" resource is calculated as: RiskScore(role) = max(RiskScore(role's children))).
Risk level	Derived from the risk score.
Policy and risk checks	Select the policy and risk checks that should be executed for the resource.