32 docs tagged with "RoPE"

RoPE distinguishes between Calculated Account Resource Assignments (CARA) and Calculated Permission Resource Assignments (CPRA).

Calculated resource assignments, both CARAs and CPRAs, can have attribute values. The use of attributes typically falls in one of the following categories:

Assignment reasons and states

The Attribute level reconciliation concept allows you to configure RoPE to compare the actual state attribute values of accounts and resource assignments with the desired state attribute values.

A calculated account resource assignment (CARA) and calculated permission resource assignment (CPRA) can have attribute values.

RoPE calculates a compliance status for all calculated assignments. The compliance status indicates if an assignment is under control, meaning that it has been either explicitly or implicitly approved. The

You can configure Omada Identity RoPE:

RoPE only allows an identity to have a single CRA per system/resource/account name combination. Therefore, if an identity has two assignments for the same resource, RoPE merges them into one. An identity can, for example, have two assignments if there are two assignment policies that assign the same resource to it.

Some basic configurations are set in the in EngineConfiguration.Config file located in C

A fundamental idea in Omada Identity, is that it manages access rights, also deprovisioning those access rights that it believes should no longer exist. Omada Identity deprovisions a managed access right when it no longer has a desired state.

RoPE includes an extension model that allows you to modify the behavior of RoPE. Much of the core functionality of RoPE uses the extension model and is implemented as extensions.

The Grace days property specifies the number of grace days used when creating new transfer context assignments for the old context, using the Identity transfer code method. This will create an identity transfer object, which can be used for reporting, auditing, and retrieving old managers of an identity in the transfer identity assignments survey.

Processing an identity

Calculation affecting events resolver

Assigned resource overview

The Management Agent applies a data model in the connector space that has three categories of object types:

Omada Identity includes a simulation feature for making policy checks from an access request.

If RoPE calculates a CRA and the current time is outside the validity period of the CRA, that is, before the validity period starts or after the validity period ends, the CRA is normally disregarded, so that it is not included in the calculation result.

From an Omada Identity perspective, to provision something means to create it in a target system.

When a resource assignment is to be provisioned or deprovisioned, RoPE creates a provisioning task for the provisioning mechanism selected for the system which the resource belongs to.

When RoPE processes an identity, it computes a provisioning status for each of the identity’s account- and permission assignments.

Queuing types

Attribute values which cannot be mapped directly from a Resource or an Identity can be mapped using the AttributeValueResolver RoPE extension. For more details on this extension, see the Attribute value resolver section in Standard extensions.

The resource-driven attributes concept allows for mapping and assigning attribute values to a CRA by retrieving the values from the resource of another CRA for the same identity.

Read how the Role and Policy Engine (RoPE) works and how you can configure this engine to suit your organization’s needs.

Some settings for RoPE are set in Enterprise Server and they are described in the table that follows. You can change the settings in the Omada Identity Portal in Setup -> Administration -> More… -> Customer settings.

Prerequisites

Generic extension for mapping ODW attributes to OPS provisioning attributes

System data objects

You can specify a time zone for an identity in the Timezone property of the Users view. If you do not specify a time zone, the system uses the default time zone specified in the customer setting Default time zone (in the Customer settings view). The default time zone is 105.

In Omada Identity, all accounts should be associated with an identity.

RoPE calculates a validity period and disabled status for all CRAs.