Attributes
A calculated account resource assignment (CARA) and calculated permission resource assignment (CPRA) can have attribute values.
The use of attributes typically falls into one of the following categories:
- Account fields, such as Email address or Mailbox limit required by the connected system.
- Role parameters (for example,
Approval amount limit) that provide additional information on an assignment, for example, an ERP role such as Approve purchase order for an identity. Moreover, role parameters are supported and required by the connected system. - Information attributes that hold information that's only relevant inside and is not provisioned to the connected system, for example, the Compliance status.
Moreover, the set of legal attributes for a calculated resource assignment is dictated by the attribute set that's specified on the resource type.
An attribute definition is merely a wrapper for a property; in RoPE calculation data, an attribute is represented by the system name of the property (and not the name of the attribute definition itself).
A RoPE assignment attribute has one of the following data types:
BooleanDateTimeIntegerStringReference
The data type of a RoPE assignment attribute is dictated by the type of property.
Not all types of properties are supported. A RoPE assignment attribute is always multivalued regardless of whether said property supports multiple values.
The following table presents properties mapping to RoPE attribute data type:
| Property | Maps to RoPE attribute data type |
|---|---|
Value property, data type “Text” | String |
Value property, data type “Integer” | Integer |
Value property, data type “DateTime” | DateTime |
Value property, data type “Decimal” | Not supported |
Value property, data type “Boolean” | Boolean |
Value property, data type “Hyperlink” | Not supported |
Value property, data type “TimeSpan” | Not supported |
Value property, data type “MultiLangText” | Not supported |
Value property, data type “Xml” | Not supported |
| Reference property | String or Reference |
| Set property | String |
An assignment attribute is only saved and stored if it has a value. However, if it does not have a value, but did have one in the past, it's saved in all subsequent calculations (for RoPE to be able to provide a proper delta for the provisioning layer).
Attribute values are automatically assigned from the involved objects of an assignment. For example, if an attribute that's legal for a calculated resource assignment is present on the identity data object, then, the value of the identity is assigned to the calculated resource assignment.
A property should only be used as a definition for a single attribute. The system property's name should never be specified on multiple attribute types.
With respect to the master data in ES, ensure that all Attribute data objects state a unique system property name in the Definition section.
If two attributes in the same attribute set have the same definition, RoPE merges them together. As a result, all attributes should state a unique system property name as the definition.