Skip to main content
Version: Cloud

Survey verdicts

Omada Identity enables organizations to review user access through surveys, where decisions, or verdicts, determine whether users keep or lose access to resources. RoPE then processes these verdicts to update Calculated Resource Assignments (CRAs), helping ensure access meets business and compliance needs.

There are two types of verdicts supported in Omada Identity:

VerdictMeaningEffect
KeepThe access is valid and should be retained.

A CRA with the Keep verdict has an assignment reason of the type Review OK. However, this verdict should not be the sole reason for a CRA, as it is considered a second-class desired state. We recommend to always use a direct assignment or an assignment policy as the primary desired state, and only use the Review OK reason as a temporary measure.		RoPE considers these verdicts and retains calculated assignments for those with a Keep verdict and an additional reason, typically Actual direct.
RemoveThe access is no longer valid and should be removed.RoPE considers these verdicts and marks the CRA as disabled, resulting in deprovisioning.

While reviewing access, you can select a decision (Keep or Remove) from the drop-down menu in the Actions column.

Additional actions: Revoke and Expire

In Omada Identity, Revoke and Expire are actions linked to survey verdicts but are not survey verdicts themselves.

Revoke

Revoke removes calculated resource assignments (CRAs) without a desired state. This creates a new Remove verdict and expires any direct reasons for the assignment.

note

This action is only available to the Operation administrator, System administrator, and Service desk users groups.

To revoke assignments, go to Identities, select an identity, and select Revoke assignments from the context menu in the Resource assignments grid.

You can revoke CRAs of the following types:

  • Direct
  • Actual direct
  • Unconfirmed actual
  • Review OK

When a CRA is revoked, a new Remove verdict is generated. If any direct reasons exist, the responsible resource assignment data objects are also expired.

Expire

To perform the Expire action, navigate to Identities, choose an identity, and select Direct assignments from the Resource assignments grid in the context menu.

Select an assignment, open the ellipsis (three dots) menu, and choose Expire. This sets the assignment status to Obsolete without creating survey campaigns. Expiring direct assignments updates the Valid to date to the end of the day and marks the assignment as Obsolete, similar to the standard Expire process.

Technical Preview Feature: Approve survey questions create direct resource assignments

tip

This technical preview feature can be enabled via a feature toggle in customer settings.

When activated, this feature simplifies survey result management by automatically creating direct resource assignments after a Keep verdict, if certain conditions are met.

The following out-of-the-box survey templates are supported:

  • Access review for managers
  • Access review for resource owners
  • User Mailbox access review
  • Transfer identity survey

To enable the feature, go to Customer settings and set Create direct resource assignments on surveys by default to true.

warning

Only use this feature in production after thoroughly testing it in your non-production environment.

How it works

Once activated, when an Approve decision is made regarding designated survey templates, the following scenarios apply:

Case 1: No existing direct resource assignment

A new direct resource assignment will be created if:

  • The existing calculated assignments do not require mandatory or visible attributes within access requests, as such assignments cannot be generated automatically.

  • The existing calculated assignment includes only Actual and/or Review OK reasons. This approach minimises the creation of excessive definitive desired states, recognising that Review OK is a temporary reason; ES will continue to generate Review OK reasons in these instances.

    This means that if any of the reasons for assignments listed below are present, no new direct resource assignment will be created, and the Review OK reason will still apply:

    • Policy
    • AutoAccount
    • ChildResource
    • Additional
    • ImplicitAssignment
    • ImplicitChild
    note

    For more information about assignment reasons and states, see Assignments.

The created direct assignment is valid from the decision date through the verdict expire after days period.

Case 2: Existing direct resource assignment

No new assignment are created, and the following updates may be applied:

  • Validity: If the origin is Access Request or the resource assignment status is Obsolete, the validity dates remain unchanged. Otherwise, validTo is updated to the survey expiry date.

  • Description: The approver's name and approval comment are added at the beginning of the description.

Context assignment

By default, the context assigned to the created direct resource assignment is empty. In case you need to specify this value, survey templates can be modified to include a new Context field in the questions.

Adding a Context column to a survey template

When Enterprise Server is set up to generate direct resource assignments (DRAs) with each Keep verdict, the DRA context defaults to empty. If there is a need to set a context for the DRA upon creation, one option is to introduce a Context field in the survey template. Adding this field allows for specifying the DRA context during its creation.

  1. Go to Setup and under Administration, select Survey templates. Locate the survey template you want to modify, and click on Edit.

  2. Add a new Context property to the survey template.

    1. Go to the Survey object section.

    2. Click New.

    3. In System name, filter by RA_CONTEXT.

    4. Select the RA_CONTEXT property and click OK.

  3. Add the new property to the survey form and allow it to be edited.

    1. Go to the Forms section.

    2. Click on the ellipsis (three dots) menu to the right of the resourceowner row, and select Fields.

    3. In the Form resourceowner Fields view, click on Select fields.

    4. Filter by Context and click OK.

    5. Select the newly added reference property Context and click OK.

    6. Back in the Form resourceowner fields view, filter by Context, select the new field, and click Edit.

    7. Fill in the fields:

      • Caption: Context
      • State: Can edit
      • Multistate: Can edit

    8. Click OK.

    1. Select Close to close the Form resourceowner fields view.

  4. Add the new property to the survey Grid and allow it to be edited.

    1. Go to the Grids stage.

    2. Click on the ellipsis menu to the right of the resourceowner row and select Fields.

    3. In the Grid resourceowner Fields view, click on Select fields.

    4. Filter by Context and click OK.

    5. Select the newly added reference property Context and click OK.

    6. Back in the Grid resourceowner fields view, filter by Context, select the new field, and click Edit.

    7. Fill the fields:

      • Caption: Context
      • State: Can edit

    8. Click OK.

    1. Click Close to close the Grid resourceowner fields view.

  5. Select Apply to save the changes made to the survey template.

You can also set the context by defining an event definition on resource assignment, filtering based on the origin property of the resource assignment, and then assigning the desired context value.

To distinguish between the different origin types, you need to use a reference path filter on the event definition, which will allow you to filter the events based on resource assignment origin property. This way, you can configure the context that will be assigned depending on how the resource assignment was created (for example, because of a particular kind of a survey or because of the Approve all assignments feature).

Examples below show how to apply this in different scenarios.

Event definition triggers on objects of type: Resource assignments

  1. Reference path to identify every resource assignment created by a survey:
  • Reference path: /ORIGINREF
  • Left side: Survey template [SURV_TEMPLATENAME]
  • Inner operator: <>
  • Right side: empty string
  1. Reference path to distinguish between different kinds of surveys
  • Reference path: /ORIGINREF
  • Left side: Survey template [SURV_TEMPLATENAME]
  • Inner operator: =
  • Right side: Access review for resource owners
tip

You can, for example, set the context by adding a code method Action type using CopyPropertyValuesFromReferencePath or CopySourcePropertiesToTargetPropertiesOnRefPath, and then configuring it to set the context to the expected value (like the primary Context of the identity).

limitation of event definitions

This filter is only available for timer-triggered events due to a current limitation: event definitions can only filter by a reference path when the trigger type is a timer.

For more information, see Event definitions - Set up filter expressions for event definitions, especially step 4.

Provisioning

Provisioning for new or updated direct resource assignments continues to work as before, with no changes to the process.

Survey verdicts behavior

When this feature is enabled, Keep verdicts for which a DRA has been created are auto-created with an expiry period of 0 days. Therefore, they are immediately expired and RoPE excludes them from calculations, so only the direct reason determines the state.

This only applies when a DRA exists; if not, Keep verdicts retain their usual expiry. In the Audit Trail report, Approve decisions appear as before, but Compliance status reasons now lists the Direct reason instead of Review OK.

Effect on ongoing surveys

Enabling the setting does not affect already initiated surveys. Verdicts created before enabling the feature will function as usual, while those created afterwards will follow the updated scenarios.

Approve all assignments feature

Once the feature is enabled, the Approve all assignments feature (which allows to create a verdict for actuals to achieve a desired state without running access review surveys, or establishing roles or policies, available in System and Resource Type views) will generate direct resource assignments instead of Keep verdicts.

If an assignment does not contain mandatory or visible attributes, a new direct resource assignment is created as outlined above in Direct resource assignment scenarios, case 1.

FAQ

  1. What is responsible for creating or updating the direct resource assignment?

    The direct resource assignment is created or updated by the survey post-action handler.

  1. How does the Approve all assignments button influence verdicts?

    Selecting the Approve all assignments button results in the creation of direct resource assignments rather than survey verdicts.

  1. Can the new feature be used in custom surveys?

    Yes, if the custom survey uses the CalculatedAssignmentVerdictSurveyPostActionHandler for post-actions, the feature will be enabled.

  1. Is there a migration path for converting existing verdicts?

    There is no automatic migration. If CRA lacks a DRA, enabling the feature will not create it.

  1. Is it necessary to complete all active surveys before enabling the new feature?

    No. You can enable the new feature with ongoing surveys. Current verdicts remain valid, while new responses will create direct resource assignments. Any pending survey questions will now generate direct resource assignments instead of verdicts once the feature is enabled.

  1. Why do we still need verdicts?

    Verdicts are needed for reporting, audit trails, and regulatory compliance. They provide a historical record of approvals and decisions, and are kept during the transition to direct resource assignments to ensure continuity. Verdicts are also necessary when a DRA cannot be created due to mandatory attributes.

  1. Has RoPE support for verdicts changed?

    No, RoPE's verdict handling remains the same. Only the post-action handlers for default surveys and the Approve all assignments feature have been updated.

  1. What impact does creating direct resource assignments in surveys have on performance?

    Performance tests show only a minor difference, with submission times scaling linearly as decisions increase. Overall speeds are similar to before, though some environments may experience slower processing due to complex resource assignment configurations.