Attribute level reconciliation
The Attribute level reconciliation concept allows you to configure RoPE to compare the actual state attribute values of accounts and resource assignments with the desired state attribute values.
When RoPE reads accounts and resource assignments from the Data Warehouse, it includes attribute values for them as well.
RoPE compares the actual state attribute values with the desired state attribute values of a CRA. If these attribute values do not match, RoPE assigns the provisioning status Pending update and takes appropriate actions.
For resources that do not have a desired state yet, the actual state attribute values read from the Data Warehouse are assigned to the CRA.
Reading actual state attribute values
When RoPE reads accounts and resource assignments from the Data Warehouse, it also reads attribute values for them.
The attribute values are read from the following ODW view columns:
- RoPE_Account.ExtensionAttributesWithHistory
- RoPE_Account.ExtensionAttributesWithoutHistory
- RoPE_ResourceAssignment.ExtensionAttributesWithHistory
- RoPE_ResourceAssignment.ExtensionAttributesWithoutHistory
An attribute may be in either of the two columns, but not in both, for example:
<Attr Name="PRIMARY_EMAIL">
<Value>ABAA@odwad.test</Value>
</Attr>
<Attr Name="ADDITIONAL_EMAILS">
<Value>SMTP:ABAA@odwad.test</Value>
<Value>SMTP:xxxx@odwad.test</Value>
</Attr>
<Attr Name="WEBMAIL">
<Value>True</Value>
</Attr>
An attribute value in the Data Warehouse cannot cause a Pending update if it is not provisioning relevant as specified in the resource type or if it is not included in the Reconciliation attributes map.
The data type of an attribute is defined by the property.
The names of extension attributes can be only composed of the following characters: \^A-Za-z0-9\_\\-\\\$\. Spaces are not allowed in the attribute names.
In addition to the extension attributes, RoPE reads a number of fixed attributes for accounts from the ODW. The table below lists these fixed attributes as well as which columns they are read from.
| Fixed account attribute | Read from |
|---|---|
| VALIDFROM | RoPE_Account.ValidFrom |
| VALIDTO | RoPE_Account.ValidTo |
| FIRSTNAME | RoPE_Account.IdentityFirstName |
| LASTNAME | RoPE_Account.IdentityLastName |
| RoPE_Account.IdentityEmail | |
| JOBTITLE | RoPE_Account.IdentityJobTitle |
Configuring attribute level reconciliation
Attribute level reconciliation is enabled per resource type by ticking Reconcile on attribute level and by specifying a mapping string for the Reconciliation attributes map.
The mapping string contains key/value pairs separated by a semicolon and has the following format:
[Attribute system name in ES/RoPE\]=\[Attribute name in Data Warehouse\];
The mapping string must not contain duplicate attribute names for neither the RoPE attribute names nor the Omada Identity Data Warehouse attribute names. The mapping string is not case-sensitive.
RoPE assigns the provisioning status Pending update if the provisioning attribute values of a CRA do not match the values from the Omada Identity Data Warehouse.
In the screenshot above, Reconcile on attribute level is set to True and Reconciliation attributes map is specified on the resource type. The mapping string dictates that the value of the
FIRSTNAME attribute must be compared with the value of the givenName ODW attribute. Also, the value of the LASTNAME attribute must be compared with the value of the sn ODW attribute. If there is a discrepancy, then we want to provision the desired state value to AD.
You can inspect the attribute values that are read from the Data Warehouse in the Messages node in the Assignments Explorer for an identity. The Actual (source) attribute values show the attribute values as read from the Data Warehouse, and the Actual (processed) attribute values show the attribute values after the mapping.
Troubleshooting
If changes to a property (for example, ValidTo) do not trigger a provisioning task, make sure that attribute value reconciliation is configured.
Below you'll find a use case for the value reconciliation of the ValidTo attribute.
The ROPE attributes known as ROPE_VALIDFROM and ROPE_VALIDTO are, by design, not part of the provisioning attributes; however, if you need to use them as attributes with reconciliation, follow these steps:
- Add a custom text property, for example: C_VALIDTO.
- Add an attribute for your custom property, and add the attribute to the applicable attribute set.
- Resolve a value for the attribute in the attribute value resolver, for example: ROPE_ValidTo.ToString("yyyyMMdd"). The format should match the format needed in provisioning task and in the target system.
- Have the ValidTo value imported in the collector into an actual attribute (for example, ValidTo), with the string format as above.
- Configure the reconciliation map accordingly, for example, C_VALIDTO=ValidTo.