Skip to main content
Version: On prem: 15.0.1

Avoiding unintentionally deleted contexts

In a standard installation of Omada Identity, contexts are deleted when they are no longer delivered from an HR system. If you or your organization delete contexts unintentionally, the result may be that unintentional deprovisioning takes place. To avoid this from happening, you can enable this feature by configuring Omada Identity Data Warehouse, Omada Identity RoPE, and Omada Identity.

Results of enabling the feature

Any assignment policy on a deleted context, such as OrgUnit, Company or Cost center, stays effective until the Operation administrator has accepted the deletion. Only then the access is deprovisioned.

When a context is deleted from the HR system, it is expired in Omada Identity Data Warehouse. The status changes from Active to Deleted but any assignment policy stays effective.

The Deleted Context Survey is started the next morning, depending on the configuration of the timer configuration, and the Operation Administrators are assigned the task to review the deletion.

  • If the Operation administrators accept the deletion, any assignment policy on the context is no longer effective, and access is deprovisioned. The context is not deleted, but it is removed from the list view.
  • If the Operation administrators reject the deletion, any assignment policy remains effective. Once the context is delivered by the HR system again, the status is changed back to Active in Omada Identity.
Set up Omada Identity Data Warehouse

Follow these steps to set up Omada Identity Data Warehouse:

  1. Go to Systems > Omada Identity and open Warehouse to portal mapping.

  2. Open Update or create Identities and go to mappings. Locate the Organizational unit mapping and click Edit. Change the Lookup view to Context assignments to latest context and click OK twice:

    avoiding-del-context

  3. Open Update or create Organizational units and go to mappings. Locate the Status mapping and set it to Constant and the value Active. Locate the Last deleted context survey started on mapping and set it to Constant and the value Never expires. Then, click OK twice:

    avoiding-del-context

  4. Open Delete if exists Organizational units. Change Operation to Update if exists. Go to mappings. Locate the Status mapping and set it to Constant with the value Deleted. Locate the Last deleted context survey started on mapping and set it to Constant with the value 2000-01-01. Then, click OK twice:

    avoiding-del-context

  5. Repeat steps 3 and 4 for Companies, Cost centers and Employments if they are enabled.

Set up Omada Identity RoPE

Configure RoPE to recalculate identities when the status of a context changes.

<add key="DOT#OrgUnit" value="CONTEXTSTATUS"></add>
<add key="DOT#CostCenter" value="CONTEXTSTATUS"></add>
<add key="DOT#Company" value="CONTEXTSTATUS"></add>
Configure Omada Identity

Follow these steps to configure up Omada Identity:

  1. Upload the survey template Deleted Context Survey from the DeletedContextSurveyTemplate.XML located in the survey templates folder.
  2. Change the Deleted Context Survey process template to Prevent instantiation.
  3. Enable the timer on the Launch deleted context survey event definition.
  4. The survey includes contexts with status Deleted or Deleted (rejected), unless they have been included in another survey the last 30 days. If you want to, you can change the limit of 30 days in the code method parameter on the event definition.