Skip to main content
Version: On prem: 15.0.2

Business contexts

Omada Identity has a business context concept that allows you to manage one or more types of business contexts, for example, the organizational structure, or a project hierarchy.

Identities belong to one or more contexts that define the identity's relationship with the organization. Usually, an identity's primary context is the department where he/she works, but this model can and sometimes must be extended. For example, this may be relevant if an identity has two part-time employment contracts in different departments.

Business benefits of using this feature include:

  • Managing other business contexts in addition to the organizational structure.
  • Assigning access to identities in a context via assignment policies.
  • Allowing self-service requests for users to gain access to use a specific context after the context owner has approved the request.
  • Automatically revoking access granted for use in a context when an identity is no longer part of the context. There are several reasons why such a situation may be relevant:
    • The identity's context assignment has expired or in other ways has been removed.
    • The context itself has a validity period and its end date has been reached, for example, once a project is finished.

The context concept allows you to control access rights based on a user's contexts. As mentioned, an identity is always assigned to one or more contexts, and all resource assignment (access rights) are tied to one of these contexts.

The context is one of the involved objects that control the validity of the resource assignment. The (selected) context is also used to determine who should approve a request for a resource assignment.

Impact on Role and Policy Engine

The business context concept has the following impact on calculations in Omada Identity Role and Policy Engine (RoPE):

  • RoPE disables Calculated resource assignments (CRAs) that are caused entirely by directly assigned resources from the access request process if a context is specified for them which the identity is no longer in, for example when the identity transfers to another department.
  • If the identity has a primary context type specified and no memberships for it then, it disables all his CRAs.