RoPE
The main purpose of the Role and Policy Engine (RoPE) is to calculate accounts and resource assignments for identities on the basis of policies and self-service access requests in the Omada Identity. Such calculated accounts and resource assignments are then used for provisioning to target systems via the Omada Provisioning Service, manual provisioning tasks, the MIM Synchronization Service, or another provisioning engine.
RoPE calculates the compliance status (which is the indication of whether the resource assignment has been either explicitly or implicitly approved) of each resource assignment based on the comparison of:
Actual state - how the resource assignment is set up in the target system, and
Desired state - how Omada Identity expects the resource assignment to be, according to your defined policies, approved requests, accesses reviews, and so on, in Omada Identity.
Note that a running instance of the Omada Identity is required to perform RoPE calculation, because the ES webservice with the webservice/RoPEWebService.asmx endpoint is used during the calculation.
ROP300: Omada Identity Access Reconciliation training explains how the Role and Policy Engine works. You can check our Instructor-Led Training offering at Omada Academy website.
RoPE Windows service on-prem
RoPE runs as a Windows service that performs a processing cycle every 10 seconds. Each processing cycle has two phases:
- Event-based queuing
- Identity processing
In the queuing phase, relevant events in the Omada Identity and Omada Identity Data Warehouse are processed, and, as a result, affected identities are queued. The RoPE service performs periodic queuing of identities and maintenance jobs every hour.
Business context model
RoPE considers the configuration of the Omada Identity business context model in its calculations. RoPE disables CRAs that are caused entirely by directly assigned resources, for example, from the access request process if the identity is no longer in the business context in which it was assigned.
If the identity has a primary context type specified and the identity has no memberships for it, RoPE disables all its CRAs.
The business context model only handles normal identities, that is, neither technical identities nor an unresolved identity.