Skip to main content
Version: On prem: 15.0.1

Self-management

You can use the Omada Identity Management concept to manage access to Omada Identity itself, including ownership of objects and memberships to user groups.

note

The Omada Identity Management concept requires that you enable the Self-management extension in the Role and Policy Engine (RoPE).

There are several roles that you can manage in Omada Identity:

  • Resource ownership
  • Resource folder ownership
  • Org. unit management
  • Identity management
  • System ownership
  • Cost center ownership
  • Company ownership
  • User group membership
  • Service Desk agent role
  • Classification tag ownership
  • Employment ownership

You can extend the Omada Identity Self-management feature to apply to other data object types.

Ownership concept

In Omada Identity, the effective manager is determined by the users listed in the effective manager/owner (MANAGER/OWNERREF) field of an object. This field is calculated by RoPE, and if you use self-management, it should not be edited directly. Additionally, the managed data objects also have an explicit owner (EXPLICITOWNER) field that contains owners that are managed outside Omada, for example, sourced from connected systems and imported via the Data Warehouse.

You can assign the ownership by using the Access Request process to request ownerships to objects via the self-management resources. RoPE will then calculate the identity and add it to the effective manager/owner field on the managed object.

Membership concept

You can also assign users to the self-management resources via the Warehouse to Portal export for ownerships maintained in the connected source systems. The export adds users to the Explicit Owner field, and RoPE then calculates the identities and adds them to the effective manager/ owner field.

Working with the self-management concept

While working with this concept, note the following:

  • The effective manager / owner field should only be edited by the RoPE calculation process. This restriction is caused by the fact that RoPE will remove any user that does not have a Resource Assignment as owner/manager of the object or is listed in the Explicit owner field.

  • You should not edit the Explicit Owner property directly or through a process other than the Warehouse to Portal export. The explicit owner is intended only to hold owners sourced in the source systems imported via the Data Warehouse. Users listed as explicit owner and effective owners are not imported as owners to the Data Warehouse.

Working without the self-management concept

Note the following:

  • If you maintain owners/managers manually, it is a requirement that you disable the self-management extension in the RoPE configuration.

  • If you do not use the self-management extension, you should update the effective manager/owner fields directly.

  • You cannot synchronize ownerships between the connected systems and Omada Identity if you disable the self-management concept.

  • You cannot use the Delegation process to delegate ownership of the self-management resources.