Skip to main content
Version: Cloud

Resources

Here you will find different settings to define resource, resource types, and resource folders.

Add resource types

  1. To add a new resource type, click New in the Resource types overview.
  2. In the New Resource dialog box that opens, type a unique Name for the resource type.
  3. From the drop-down menu, select a relevant Resource category to associate with the new resource type.
  4. If you want to allow the assignments for the resources of the created type to have additional attributes, check the Allow attributes checkbox.
  5. In the Attribute set field, click the lookup icon to open the Attribute set dialog. From this dialog box, choose an attribute set to associate with the new resource type.
  6. The Business key field allows you to add a business key for the created resource type.
  7. Optionally, in the New Resource dialog box, select the Allow child resources checkbox to allow resources that do not belong to the role resource category to be able to specify child resources.
  8. Enable the Allow delegation setting to allow identities with this resource to delegate their access to another identity for a limited period of time, for example when the identity is on vacation or in the case of a leave of absence.

Add resource types: Fulfillment (general)

  1. In the Provisioning attribute set field, click the lookup icon to select an attribute set that has provisioning relevance. The attributes are also presented to the sync engine as a bundle. If you do not select any attribute sets here, all assignment attributes are considered relevant to provisioning.

  2. Select the Reconcile on attribute level checkbox to enable provisioning updates in case of any discrepancies in the provisioning attributes in the Omada Identity Data Warehouse. The checkbox is not selected by default.

  3. Select the Reconcile account name checkbox to enforce the account name reconciliation during provisioning updates.

    limitations
    • This feature is dependent on the target system supporting account renaming and ensuring that the account name is appropriately mapped in OPS for correctly performed import.
      • If, for example, the account name is used as the lookup key in the connector, renaming the account is not possible since the existing account in the target system retains the old account name and cannot be found using the new account name.
    • The account name cannot be directly mapped in the reconciliation map.
    • Additionally, for technical identities, their actual and desired state accounts are not covered by this feature and they are linked based on the account name, rather than the account type, unlike normal identities.

  4. In the Reconciliation attributes map field provide a mapping string used by RoPE when account assignment attributes or permission assignment attributes are loaded from the Data Warehouse. This mapping string maps ES/RoPE attribute names to Data Warehouse attribute names. If a resource type specifies an attribute string, RoPE only looks for the mapped attributes in the ODW. If a resource type does not specify an attribute string, RoPE assumes that all provisioning attributes are present in the ODW and have the same names as in Enterprise Server.

    The mapping string has the following format: [Attribute system name in ES/RoPE]=[Attribute name in Data Warehouse];.... It is case sensitive and cannot contain duplicate attribute names; neither ES/RoPE attribute names nor Data Warehouse attribute names, for example, FirstName=givenName;LastName=sn.

  5. Select the Exclusively managed checkbox to make assignments for the resources to be deprovisioned if they do not have a Desired state reason. The checkbox is not selected by default.

  6. In the Post-validity days field, type a number of days in which the assignments calculated for resources of this type are included after the validity period ends. The extension of the validity is intended only to extend the validity period of an identity (as it was designed for identity onboarding and offboarding). In the case of other objects, the object is kept in the calculation for the duration of the post-validity, and it is maintained in the disabled state.

Add resource types: Fulfillment (MIM)

info

This section is relevant only for systems configured for using MIM as fulfillment mechanism.

  1. In the MIM MA CS resource object type field, type the name of a resource object to show calculated resources in the MA as objects of this type.
  2. In the MIM MA CS assignment object type field, type the name of an assignment object type to show calculated accounts and calculated resource assignments in the MA as objects of this type.
  3. Select the checkbox Make members/membership information available in the sync engine? to enable that the sync engine receives information about the accounts that are members of the resource (if the resource is a non-account) or the resources that the account is a member of (if the resource is an account).

Add resource types: other settings

  1. The Allow delegation checkbox allows identities with assignments for resources of the created type to delegate them to someone else. The checkbox is not selected by default.
  2. Thanks to the Allow child resources checkbox you can allow resources of the created type to have child resources. This is mainly intended for resources which represent enterprise roles or application roles. The checkbox is not selected by default.
  3. In the Prevent self-service dropdown, select Yes if you do not want this resource type to be available for self-service access requests.
  4. In the Policy and risk checks field, you can choose checks that should be executed for this resource type.

Editing resource types

You can also edit an existing resource type. In the Resource types dialog, select one of the existing resource types, and click Edit. This opens the Edit Resource type dialog box from which you can specify and edit the same settings that you can set when you add a new resource type.

Renaming resource types

If you wish to rename the resource types that are provided by default in the System onboarding process, it is recommended that you create a new resource type based on the default resource type, and make the desired changes to the copy.

The reason is that the resource type names are used in the system configuration. Thus, you would have to change the name in several places if you wanted to change one of the default resource types.

However, if you'd like to update the resource type name, perform the following steps:

  • Prerequisites:

    • Stop the Role and Policy Engine (RoPE)
    • Stop the Enterprise Server (ES) timer service

  • Update the ES configuration:

    • Update the resource type name in the list of resource types.

    • Open the list of systems (a warning will be displayed).

    • For each system where the resource type is used:

      • Click on the context menu on the right and select Edit (advanced).
      • In the Provisioning service configuration field, rename the resource type accordingly.
      • Click OK to close the system dialog.

    • Open the normal system dialog and validate the task mappings.

      • The name of the resource type in the data model can be updated but is not strictly necessary. If required, perform this step before editing the task mappings.

        Business key

        It is not recommended to update the Business key value of the resource type even if it matches the old resource type name.

    • Commit the OPS settings.

  • Update the RoPE EngineConfiguration.config

    • Update the AttributeValueResolver extension:

      • Update Resource driven attributes (#ASSIGNMENTS_PER_RESOURCETYPE):
        • The name element contains the attribute name, for example, MBOXSIZE. It can be prepended with a resource type name, for example, AD Account:MBOXSIZE.
        • The first element after #ASSIGNMENTS_PER_RESOURCETYPE is a resource type name, it must be updated accordingly, for example, /#ASSIGNMENTS_PER_RESOURCETYPE/Mailbox size:[MBOXSIZE].
      • Update the MapAttributesFromActualDataExtension extension:
        • The ExtraInfo configuration element contains the display name of resource types, unless prepended with UID:. It must be updated accordingly.

  • Service restart:

    • Start the timer service(s) and wait for 2 minutes for the resource type to be synchronized.
    • Start the RoPE service(s).
warning

The Resource type names support the characters from the [^A-Za-z0-9_-!@#$%^&*()] range including space.

SettingDescription
NameType a unique name for the new resource.
Resource categorySelect a relevant resource category to associate with the new resource type.
Allow attributesEnable this setting to allow assignments for resources of this type to have attributes.
Attribute setChoose an attribute set of attributes that are allowed on assignments for resources of this type. The attributes are displayed in the access request when a user picks a resource of the resource type. You can modify the specific display behavior on the attribute type object.

The assignments calculated by RoPE holds values for the attributes. By default, the attribute values are considered relevant for provisioning. If you need to, you can change this by using the Provisioning attribute set property.
Business keyAdd a business key for the created resource type
Provisioning attribute setChoose an attribute set to use for provisioning. Attributes that have fulfillment relevance. If you do not specify a provisioning attribute set, then all assignment attributes are considered provisioning relevant.

The attributes in the provisioning attribute set must be a subset of the attributes in the general attribute set.
Reconcile on attribute levelEnable this setting if discrepancies on provisioning attributes in the ODW should result in provisioning updates.
Reconciliation attributes mapType a mapping string to use for reconciliation. The mapping string is used by RoPE when loading account- or permission assignment attributes from Omada Identity Data Warehouse.

The mapping string maps ES/RoPE attribute names to Data Warehouse attribute names.

If a resource type specifies an attribute string, then RoPE only looks for the mapped attributes in Omada Identity Data Warehouse.

If a resource type does not specify anything, RoPE assumes that all provisioning attributes are present in Omada Identity Data Warehouse (with the same names as in the Enterprise server).

The mapping string has the following format: [Attribute system name in ES/RoPE]=[Attribute name in Data Warehouse];...

The mapping string must not contain duplicate attribute names. Neither ES/RoPE attribute names nor Data Warehouse attribute names. Note that the mapping string is not case-sensitive.

Example of mapping string: FirstName=fn;LastName=givenname
Exclusively managedEnable this setting if calculated assignments for resources of this type should be deprovisioned if they do not have a 'desired state' reason.

Omada recommends that you enable this setting, except during initial implementation or onboarding of a system.
Post-validity (days)Calculated assignments for resources of this type are kept for this number of days after the validity period ends.

A "post-valid" assignment is always marked as disabled by Omada Identity which leads to inactivation or deletion in the target system. For account resources, it can especially be a good idea to use post-validity to delay that an account is deleted in the target system when an employee is offboarded.
Always provision changesShould every single change of provisioning attributes cause provisioning updates? If enabled, settings Reconcile on attribute level and Reconciliation attributes map are ignored.
MIM MA CS resource object typeExpose resources in the MIM MA connector space as objects of this type. Only relevant for systems configured for using MIM as a fulfillment mechanism.
MIM MA CS assignment object typeExpose calculated account/permission resource assignments in the MIM MA connector space as objects of this type. Only relevant for systems configured for using MIM as a fulfillment mechanism.
Make members/ membership information available in the sync engineIf the resource category is Permission, enable showing the accounts that are members of the resource in the MIM MA connector space.

If the resource category is Account, enable showing the resources that the account is member of in the MIM MA connector space.
Allow child resourcesEnable this setting to allow resources that do not belong to the Role resource to be able to specify child resources. For the Role resource, this checkbox is selected by default and is mandatory.
Allow delegationEnable this setting to allow identities with this resource type to delegate their access to another identity for a limited period of time, for example in case of vacation or a leave of absence.
Prevent self-serviceSelect Yes if you do not want this resource type to be available for self-service access requests
Policy and risk checksSelect the policy and risk checks that should be executed for the resource type. If a check is not selectable, it is used for all resources.

Add new resource folders (optional)

  1. To add a new resource folder, click New in the Resource folders overview.

  2. In the New Resource folder dialog box that opens, type a unique Name for the resource type.

  3. Type a unique FolderID for the resource folder. You must use capital letters.

  4. The Effective owner field is read-only. This property is populated with the effective owner by Role and Policy Engine based on the users and user groups added to the Manual owner field.

  5. Optionally, in the Manual owners field, click the lookup icon to select an owner of the resource folder and its resources.

  6. Optionally, in the Approval field, click the lookup icon to select the level(s) at which the approval should be set, for example, System owner or Context owner. You can select one or more levels that can approve.

  7. Optionally, in the Provisioner field, click the lookup icon to see a list of identities and, from there, choose an identity to be the provisioner. You can only choose one identity to be the provisioner for each resource folder.

  8. Optionally, in the Account types field, click the lookup icon to select one or more account types for which the resources in the folder are relevant. Note that this setting may be overridden at the individual resource level. Click OK to save the new resource folder and close the dialog box.

  9. Optionally, in the Classifications field, click the lookup icon to see a list of classification tags. Here, you can select a classification for the created resource folder.

SettingDescription
NameType a unique name for the resource folder.
FolderIDType a unique FolderID for the resource folder. You can only use capital letters.
Effective ownerFilled by RoPE.
Manual OwnersSelect an owner of the resource folder and its resources. This is an optional setting.
ApprovalSelect the level at which to set the approval, for example at System Owner or context owner level. You can select one or more levels Optionally.
ProvisionerSelect an identity from the list of identities to become the provisioner. You can only select one identity to be the provisioner for each resource folder.
Account typesSelect one or more account types for which the resources in the folder are relevant. This setting may be overridden on the individual resource.
ClassificationsHere, you can select a classification tag for the created resource folder.
Policy and risk checksSelect the policy and risk checks that should be executed for the resource type. If a check is not selectable, then it is used for all resources.

Add new resource: general settings

  1. To add a new resource type, click New in the Resources overview. In the New Resource dialog that opens, type a unique ResourceID for the resource type. You can only use capital letters.
  2. Type a unique Name for the resource.
  3. Optionally, type a Description for the resource.
  4. In the Resource type field, click the lookup icon to select a resource type to associate with the resource. You can only select one resource type.
  5. In the System field, click the lookup icon to open the System dialog. Here, you can select a system to associate with the resource. You can only select one system.
  6. In the Resource folder field, click the lookup icon to select a resource folder to associate with the resource. You can only select one resource folder.
  7. The Effective owner field is read-only. This property is populated with the effective owner by Role and Policy Engine based on the users and user groups added to the Manual owner field.
  8. In the Manual owners field, click the lookup icon to select one or more owners of the resource.
  9. The Business key field allows you to add a business key for the created resource.
  10. Optionally, select one or more of the available checkboxes to specify a Classification for the resource. You can choose between Business Critical, System administration, and Privileged access.

Add new resource: Fulfillment

  1. Optionally, in the Provisioning depends on the field, click the lookup icon to select a different resource in order to delay the provisioning process for the new resource until that specific resource has been provisioned.
  2. To enable skipping of provisioning of assignments for this resource, select the Skip Provisioning checkbox. This setting is not enabled by default.

Add new resource: Status and validity

  1. In the Resource status menu, choose a status for the resource if this is relevant for you. You can choose: Inactive, Active, Obsolete, Disabled.
  2. In the fields Valid from and Valid to, select a relevant period of time for the resource to be valid if you want to limit the time when the resource is available.

Add new resource: Advanced

  1. In the Prevent self-service dropdown select Yes if you do not want this resource to be available for self-service access requests.
  2. In the Account types field choose one or more account types for which the resource should be available. If you do not specify anything, account types are inherited from the resource folder.
  3. In the Business processes use the lookup icon to select business processes that the resource is used in. The information is used for defining Segregation of Duties constraints on the business process level.
  4. The Risk score and Risk level field provide information about the risk a given resource pose. The risk score of a permission resource is calculated as: RiskScore(permission) = RiskScore(permission's system) + sum(max(RiskScore(permission's tags per category))). The risk score of a "role" resource is calculated as: RiskScore(role) = max(RiskScore(role's children))). The risk level is derived from the risk score.
  5. In the Policy and risk checks field, you can choose checks that should be executed for this resource.
SettingDescription
ResourceIDType a unique resource ID for the resource.

Do not use commas in the Resource ID. If the resource ID contains a comma, RoPE will encounter a calculation failure.
NameType a unique name for the resource.
DescriptionType an optional description for the resource.
Resource categoryChoose a relevant category to which the resource should belong. You can choose: Role Permission Account Software
Resource typeSelect a resource type to associate with the resource. You can only select one resource.
SystemSelect a system to associate with the resource. You can only select one system.
Child resourcesChoose one or more resources to add as a child resource to the resource.
Resource folderSelect a resource folder to associate with the resource. You can only select one resource folder.
Effective ownerFilled by RoPE.
Manual OwnersSelect one or more resource owner(s).
Business keyAdd a business key for the created resource type
ClassificationsSelect one or more checkboxes to provide a classification for the resource.The available classifications are: Business critical System administration Privileged access
Provisioning depends onSelect another resource that must be provisioned before this one.
Skip provisioningSelect the checkbox to skip provisioning of assignments for this resource. The checkbox is not selected by default.
Resource statusChoose a status for the resource Optionally. You can choose: Inactive Active Obsolete Disabled
Valid fromType a date to specify a period of time from which the resource is valid.
Valid toType a date to specify a period of time which the resource is valid.
Prevent self-serviceChoose Yes if you do not want the resource to be available for self-service access requests. Choose No if you want the resource to be available for self-service access requests.
Account typesChoose one or more account types for which the resource is available. If you do not specify anything, the account type(s) are inherited from the resource folder.
Business processesSelect one or more business processes to associate with the resource.
Risk scoreThe risk score of a permission resource is calculated as: RiskScore(permission) = RiskScore(permission's system) + sum(max(RiskScore(permission's tags per category))). The risk score of a "role" resource is calculated as: RiskScore(role) = max(RiskScore(role's children))).
Risk levelDerived from the risk score.
Policy and risk checksSelect the policy and risk checks that should be executed for the resource.