RoPE-related customer settings in Enterprise Server
Some settings for RoPE are set in Enterprise Server and they are described in the table that follows. You can change the settings in the Omada Identity Portal in Setup -> Administration -> More… -> Customer settings.
| Setting | Description |
|---|---|
| Actual accounts view name | Name of DB view in ODW used for retrieving actual accounts. |
| Actual permissions view name | Name of DB view in ODW used for retrieving actual permissions. |
| Attributes to resolve display values for | The human-readable attributes feature enables human-readable values for resource assignment attributes. This is a comma-separated list of attributes for which you want to resolve human readable display values. For example: SM_IDENTITIES,SM_RESOURCES,SM_ORGUNITS,MAILBOXREF. |
| Await fulfillment confirmation from ODW | Should the status OK (Pending Confirmation) be assigned when ODW has not yet confirmed fulfillment? |
| Batch size in bulk operations | The number of records to insert per database bulk operation. The default value is 5000. |
| Command timeout (in seconds) | Timeout is applied to SQL commands executed against the RoPE DB, the ES DB and the ODW DB. The default value is 300 seconds. |
| Grace days after org. unit move | When an identity is transferred to a new org. unit, it will remain in the previous org. unit for the specified number of days. The access granted for the previous org. unit will thereby remain active for the grace period. |
| Halt processing if resolution issue? | Controls whether RoPE should halt the processing of a batch if it cannot resolve all data about systems, resources and identities from the ODW. This can happen during the calculation of identities during an ODW export (that contains new resources) if RoPE is unable to resolve all assigned resources if they have not yet been created as data objects in Enterprise Server. |
| Ignore indirect ODW assignments | Controls whether RoPE should ignore indirect resource assignments in ODW. |
| Log last status message | If enabled, the last status message from RoPE is written to the Settings table. |
| Remote API url | Example: http://MyServer:8010/RoPERemoteApi/ |
| Access groups | Members of these User Groups have access to the calculation results. |
| Enable the RoPE? | Specify if RoPE should be enabled or not. This setting should always be True. |
| Ignore the ODW? | Should RoPE ignore the data in the ODW? |
| Pre-validity days | The number of days the assignments will be pre-valid before their validity period begins. |
| Reference attributes | Specifies delimited system names of reference properties that must be treated as reference attributes in RoPE. Normally, reference properties are treated as string attributes in RoPE. |
| Skip implicit assignments | Specifies if RoPE should calculate implicit assignments (as described in the 1.1 Implicit assignments of roles section). If set to True, RoPE does not calculate any implicit assignments to composite roles. |
| Skip orphan permission assignments | If set to True, the UNRESOLVED identity will only get orphan account assignments. |
| Default account type | The setting should specify the UID of the account type you want to use as the default account type. By default, this is the Personal account type. You can update this in the tblCustomerSetting table in the Enterprise Server database. Normally, a resource and/or the associated resource folder has an account type specified. If there is no account type to be found in either the resource or resource folder object, the account type specified in the DefaultAccountType customer settings is used. You should normally not change this setting, but you can change it if you need to. You can only edit the setting in the database. |
| Unresolved identity ID | When Omada Identity Data Warehouse cannot determine an identity as an owner of an account, ownership of the account is assigned to a special identity known as the Unresolved identity. This identity is created automatically, and its UID is registered in the UnresolvedIdentityId customer setting in a new installation of Enterprise Server. You should normally not change this setting, but you can if you need to. You can only edit it in the database. |
| Default system owner | Specify the data object id of the default system owner. Used by self-management extension in RoPE to set an owner if the last owner is removed. If set to 0, the owner will not be set. |
| Default resource folder owner | Specify the data object id of the default resource folder owner. Used by self-management extension in RoPE to set an owner if the last owner is removed. If set to 0, the owner will not be set. |
| Enable Grace Period Without Transfer Process | If True, a Context Assignment will be created when an identity is transferred to a different Org. Unit, even when the transfer process is not used. The validity period of the Context assignment will include the number of Grace days configured on the Grace days property of the Org. Unit's Context type for which the transfer is made. |
| Desired State Account Rule | Automatically join and classify an actual account by matching the actual account name with the RoPE desired state account names. |
Other RoPE-related settings in Enterprise Server
In the following sections, you can find other RoPE-related settings available in Omada Identity Enterprise Server, such as, data connections, resource properties, or system properties.
Account type configuration
The default account name for accounts is calculated based on the Account name format specified in the Account type object.
Data connections
The Connection string to the Data Warehouse is taken from the Enterprise Server. To edit the connection string to the Data Warehouse, edit the Connection string field of the ODW Data connection object in Setup -> Administration -> Connectivity -> Data connections.
RoPE calculations are shown in the Omada Identity Portal. To connect to RoPE, Enterprise Server uses the connection string specified in the RoPE data connection object in Setup -> Administration -> Connectivity -> Data connections.
Resource properties
The Resource data objects in the Enterprise Server’s data objects in Enterprise Server contain some RoPE-relevant properties.
note
With respect to your master data in the ES, ensure that all Resource data objects refer to a System data object.
| Property | Description |
|---|---|
| Provisioning depends on | Refers to a resource. Calculated resource assignments to the first resource depend on the provisioning of the referred resource. |
| Skip provisioning | If you set this to True, provisioning is skipped for CRAs for this resource. |
| Account types | Account types that are valid for this resource. If an identity does not have an account of this type, the assignment is skipped. |
| Child resources | Relevant for resources of the category Role. Only resources of this category can and should have child resources. |
info
The form field of the OWNERREF property on the default form of the Resources data object types has been renamed to Effective owner and the field is read-only. Users added to the Manual owner property will be picked up by RoPE calculations and included in the Effective owner field. The Manual owner field can be used for manually maintaining owners of a resource in Enterprise Server.
Resource folder properties
The Resource folder data objects in Enterprise Server contain some RoPE-relevant properties.
| Property | Description |
|---|---|
| Provisioner | If your organization uses Manual provisioning, this is where you set the Provisioner(s). The Provisioner is the person who receives a manual provisioning task when RoPE computes new, modified or removed assignments for a resource that is set to be provisioned manually and belongs to this resource folder. The property allows picking a single user by default. It is possible to change the configuration of the property to allow picking a user group, as well. |
| Account types | All resources in the resource folder have the account types specified in the resource folder. If an account type is specified directly in a resource, the information in the resource folder is not used. If no account type is specified in either the resource or the resource folder, the system-wide default account type is used. |
| Provisioning depends on | Resource folder data objects have a property named Provisioning depends on that refers to a resource. Calculated resource assignments whose provisioning depends on another resource are not provisioned until the referred resource has been provisioned. If both the resource data object and the resource folder data object refer a resource in the Provisioning depends on property, the value in the resource data object overrules the value in the resource folder. |
info
The form field of the OWNERREF property on the default form of the Resource folders data object types has been renamed to Effective owner and the field is read-only. Users added to the Manual owner property will be picked up by RoPE calculations and included in the Effective owner field. The Manual owner field can be used for manually maintaining owners of a resource folder in Enterprise Server.
Resource type properties
The Resource type data objects in the Enterprise Server have a number of RoPE-relevant properties.
note
A resource type can manage the OWNERREF field for a resource folder only exclusively.
| Property | Description |
|---|---|
| Attribute set | Select an attribute set to be used with the resource type. The attributes that are part of the chosen attribute set are valid for CRAs for resources of the resource type. Note that in addition to those attributes, an extension can add additional valid attributes for the resource type. |
| Provisioning attribute set | Select an attribute set that is relevant for provisioning to use with the resource type. The attributes that are part of the referred attribute set are the ones that are presented to the provisioning layer. The attributes in the attribute set should be a subset of the valid attributes for the resource type. |
| Reconcile on attribute level | Enable this setting in order for RoPE to compare the desired attribute values with the actual attribute values from the Omada Identity Data Warehouse. If you enable it, RoPE calculates the provisioning status Pending update if the provisioning attributes of a CRA does not match the values from the Data Warehouse. |
| Reconciliation attributes map | Type one or more strings to map attributes between the Omada Identity Data Warehouse and Enterprise Server. The mapping string maps ES/RoPE attribute names to Data Warehouse attribute names. RoPE uses the mapping string when it loads account- or permission-assignment attributes from Omada Identity Data Warehouse. If a resource type specifies an attribute string, RoPE only looks for the mapped attributes in the Omada Identity Data Warehouse. If a resource type does not specify an attribute string, RoPE assumes that all provisioning attributes are present in the Data Warehouse (with the same names as in the ES). The mapping string has the following format: [Attribute system name in ES/RoPE]=[Attribute name in DataWarehouse];... The mapping string must not contain duplicate attribute names – neither the ES/RoPE attribute names nor the Data Warehouse attribute names. The mapping string is case-insensitive. Example of mapping string: FirstName=fn;LastName=givenname |
| Exclusively managed | Enables that CRAs for resources of the resource type are always considered exclusively managed. An exclusively managed CRA gets deprovisioned if it does not have a desired state reason. Note that RoPE also considers a CRA as exclusively managed (even though the field is not selected) if the CRA has or at some point had a desired state reason. |
| Post validity (days) | Specifies a number of days that a CRA remains in existence after the validity period ends. In the post- validity period, the assignment is disabled. |
| Make “members” / “membership” information available in the sync engine? | If the resource type has the category Account, then the implication of selecting the property is that the account objects in the MIM MA Connector space has a field named Resources referring to the resources of which the account is a member. If the resource type does not have category Account, then the implication of selecting the property is that the resource objects in the MIM MA Connector space has a field named AssignedTo referring to the accounts that are members of the resource. |
| MIM MA CS resource object type | The name that the resource object type will get in MIM Management Agent. |
| MIM MA CS assignment object type | The name that the account and resource assignment object type will get in MIM Management Agent. |
| Allow child resources | Enable this property to allow child resources for the resource type. You should only enable this property if the resource type specifies the category Role. |
System properties
System data objects in the Enterprise Server have a number of RoPE-relevant properties:
| Property | Description |
|---|---|
| Auto create accounts | Enable this property to make RoPE automatically create an account assignment for an identity that is assigned to a resource in the system. This only happens if the identity does not have an account in the system yet. You should use the setting for systems of a logical nature, specifically for applications and containers of enterprise roles. |
| Provisioning type (accounts) | Specifies the provisioning system to use for provisioning accounts. |
| Provisioning type (assignments) | Specifies the provisioning system to use for provisioning permissions. |
| Trusts | Select a system to create a reference to a trusted system. When a system trusts another system, it allows accounts from the trusted system to be assigned to resources in the trustee system. |
| Provisioning claim expiration (days) | A number of days for which a provisioning claim should be valid. The default value is two days. If the value is not configured or set to 0, by default, the value is set to 2. Setting the value to -1 prevents the claims from being expired. |
| Failed provisioning claim expiration (days) | A number of days after which a failed provisioning claim should expire. The default value is never, i.e. “-1”. |