Skip to main content
Version: On prem: 15.0.0

Provisioning claims

When a resource assignment is to be provisioned or deprovisioned, RoPE creates a provisioning task for the provisioning mechanism selected for the system which the resource belongs to.

If the provisioning mechanism is a manual task, or the Omada Provisioning Service, RoPE receives a provisioning claim for each of the actions (add/modify/remove) when the provisioning task is complete.

RoPE considers the claims when calculating the identity (for whom the claim is). If an active claim exists, the CRA gets an unconfirmed actual reason which counts as an actual state reason the same way an actual direct reason does. By default, a provisioning claim expires after two days.

You can change this default by setting a higher number of days in the PROVCLAIMEXPIREDAYS property on the system. You can also set the value to -1, which means that the claim never expires.

The -1 value should be used in offline systems where you do not expect further updates on the assignment from the warehouse. In addition, the provisioning status of such an assignment is set to OK instead of OK (Pending Confirmation).

After a provisioning task expires, a new provisioning task is created if the result of performing the provisioning task is not detected by the Omada Identity Data Warehouse before that time. Implicitly assigned compound resources and their child resources are neither considered part of the desired state nor part of the actual state.

A provisioning claim is ignored if a record exists in the Omada Identity Data Warehouse (an actual state reason) that is newer than the provisioning claim.

Each provisioning claim can be in one of the four states:

  • Queued -- The provisioning job has been accepted and queued in the OPS for execution.
  • Relayed -- A provisioning task (typically a manual one) has been created in an external provisioning system (for example an ITSM system).
  • Failed -- The external provisioning system to which the task was relayed (for example ITSM or SAP GRC) refused to perform assigned task or OPS was unable to perform it (after a number of retries) due to, for example, a licensing issue or a long-lasting network outage.
  • Done - Provisioning has been performed successfully in target system.
info

Please bear in mind that the Queued claim does not result in recalculation of an identity by RoPE. This is caused by the fact that the Queued claim does not affect the provisioning status of a CRA.

In the case of the Relayed and Failed claims, the expiration date is by default set to 10 days and -1 (never) respectively.