Skip to main content
Version: On prem: 15.0.0

Conditional inheritance evaluator

You can apply the ConditionalInheritanceEvaluator extension to implement Conditional inheritance in, for example, SAP scenarios. The goal of conditional inheritance is that a child resource is only assigned to an identity if it has the same attribute as the identity (either inherited from the identity object or one of its context assignments).

Configuration

You can configure the attributes to match on and whether just a single match is required, or all attributes must match.

<add type="Omada.RoPE.Controller.OISX.Extensions.ConditionalInheritanceEvaluator, Omada.RoPE.Controller.OISX">
  <settings>
    <add key="ObjectType:Resource" value="OUREF"/>
    <add key="MatchContextMembershipTo" value="OUREF"/>
    <add key="RequireFullMatch" value="false"/>
  </settings>
</add>

This extension supports the following configuration settings:

  • ObjectType:Resource - type a comma-delimited list of system names of properties that are on the data object type, for example the resource data object type.
  • MatchContextMembershipTo - if defined, the child resource value is matched towards all the context assignments of the identity. The child resource value is configured as a custom reference property on the resource data object type.
  • RequireFullMatch - set it to True to require a match on all the stated properties. If you set it to false, only one match is required.
info

The value configured in MatchContextMembershipTo and ObjectType:Resource is a (single value) property system name.

If the rules defined with ObjectType:Resource is combined with the MatchContextMembershipTo rule, then the RequireFullMatch setting defines the result. If full match is required, all rules must resolve true. If not set, at least one of the rules must resolve true.

Example

In the RoPE extension configuration, we set the MatchContextMembershipTo to OUREF and we add the OUREF property to the Resources data object type.

When RoPE then traverses the child resources of a role, it will only assign the child resource if the OUREF of the child resource is within the context memberships of the identity. Only direct context memberships are evaluated, i.e., not parent contexts.

Consider an SAP system in which a number of functionally equivalent SAP roles exist which are created for various departments. The SAP roles are grouped in functional enterprise roles that are assigned to the employees.

The goal is that an employee only gets the SAP roles contained in their functional roles that are defined for their department. That's why in the example below, Susan gets the Approve Purchase Order role specifically for Chicago:

ConditionalInheritance

Disable conditional inheritance

When the extension is enabled, it is evaluated for all resource parent child relations unless disabled with the boolean property Disable conditional inheritance available on the data object type Resources.

As its name imply, when Disable conditional inheritance available is set to True on the parent resource, the conditional inheritance is disabled, and the child resources are assigned unconditionally (even if the rules of the extension are not met).