Skip to main content
Version: Cloud

Resources

This page provides step-by-step instructions for configuring resources, resource types, and resource folders during import and onboarding.

info

For reference information on the resource data model, settings, and the AI Description Optimizer (Technical Preview feature), see Resources (Data model).

Add resource types

  1. To add a new resource type, click New in the Resource types overview.
  2. In the New Resource dialog box that opens, type a unique Name for the resource type.
  3. From the drop-down menu, select a relevant Resource category to associate with the new resource type.
  4. If you want to allow the assignments for the resources of the created type to have additional attributes, check the Allow attributes checkbox.
  5. In the Attribute set field, click the lookup icon to open the Attribute set dialog. From this dialog box, choose an attribute set to associate with the new resource type.
  6. The Business key field allows you to add a business key for the created resource type.
  7. Optionally, in the New Resource dialog box, select the Allow child resources checkbox to allow resources that do not belong to the role resource category to be able to specify child resources.
  8. Enable the Allow delegation setting to allow identities with this resource to delegate their access to another identity for a limited period of time, for example when the identity is on vacation or in the case of a leave of absence.
info

For information on how to migrate resource types and their associated ODW extension attributes between systems, refer to the Migrating resource types and ODW extension attributes section below.

Add resource types: Fulfillment (general)

  1. In the Provisioning attribute set field, click the lookup icon to select an attribute set that has provisioning relevance. The attributes are also presented to the sync engine as a bundle. If you do not select any attribute sets here, all assignment attributes are considered relevant to provisioning.

  2. Select the Reconcile on attribute level checkbox to enable provisioning updates in case of any discrepancies in the provisioning attributes in the Omada Identity Data Warehouse. The checkbox is not selected by default.

  3. Select the Reconcile account name checkbox to enforce the account name reconciliation during provisioning updates.

    limitations
    • This feature is dependent on the target system supporting account renaming and ensuring that the account name is appropriately mapped in OPS for correctly performed import.
      • If, for example, the account name is used as the lookup key in the connector, renaming the account is not possible since the existing account in the target system retains the old account name and cannot be found using the new account name.
    • The account name cannot be directly mapped in the reconciliation map.
    • Additionally, for technical identities, their actual and desired state accounts are not covered by this feature and they are linked based on the account name, rather than the account type, unlike normal identities.

  4. In the Reconciliation attributes map field provide a mapping string used by RoPE when account assignment attributes or permission assignment attributes are loaded from the Data Warehouse. This mapping string maps ES/RoPE attribute names to Data Warehouse attribute names. If a resource type specifies an attribute string, RoPE only looks for the mapped attributes in the ODW. If a resource type does not specify an attribute string, RoPE assumes that all provisioning attributes are present in the ODW and have the same names as in Enterprise Server.

    The mapping string has the following format: [Attribute system name in ES/RoPE]=[Attribute name in Data Warehouse];.... It is case sensitive and cannot contain duplicate attribute names; neither ES/RoPE attribute names nor Data Warehouse attribute names, for example, FirstName=givenName;LastName=sn.

  5. Select the Exclusively managed checkbox to make assignments for the resources to be deprovisioned if they do not have a Desired state reason. The checkbox is not selected by default.

  6. In the Post-validity days field, type a number of days in which the assignments calculated for resources of this type are included after the validity period ends. The extension of the validity is intended only to extend the validity period of an identity (as it was designed for identity onboarding and offboarding). In the case of other objects, the object is kept in the calculation for the duration of the post-validity, and it is maintained in the disabled state.

Add resource types: Fulfillment (MIM)

info

This section is relevant only for systems configured for using MIM as fulfillment mechanism.

  1. In the MIM MA CS resource object type field, type the name of a resource object to show calculated resources in the MA as objects of this type.
  2. In the MIM MA CS assignment object type field, type the name of an assignment object type to show calculated accounts and calculated resource assignments in the MA as objects of this type.
  3. Select the checkbox Make members/membership information available in the sync engine? to enable that the sync engine receives information about the accounts that are members of the resource (if the resource is a non-account) or the resources that the account is a member of (if the resource is an account).

Add resource types: other settings

  1. The Allow delegation checkbox allows identities with assignments for resources of the created type to delegate them to someone else. The checkbox is not selected by default.
  2. Thanks to the Allow child resources checkbox you can allow resources of the created type to have child resources. This is mainly intended for resources which represent enterprise roles or application roles. The checkbox is not selected by default.
  3. In the Prevent self-service dropdown, select Yes if you do not want this resource type to be available for self-service access requests.
  4. In the Policy and risk checks field, you can choose checks that should be executed for this resource type.

Editing resource types

You can also edit an existing resource type. In the Resource types dialog, select one of the existing resource types, and click Edit. This opens the Edit Resource type dialog box from which you can specify and edit the same settings that you can set when you add a new resource type.

For a full list of resource type settings and information on renaming resource types, see Resource types (Data model).

Add new resource folders (optional)

  1. To add a new resource folder, click New in the Resource folders overview.
  2. In the New Resource folder dialog box that opens, type a unique Name for the resource type.
  3. Type a unique FolderID for the resource folder. You must use capital letters.
  4. The Effective owner field is read-only. This property is populated with the effective owner by Role and Policy Engine based on the users and user groups added to the Manual owner field.
  5. Optionally, in the Manual owners field, click the lookup icon to select an owner of the resource folder and its resources.
  6. Optionally, in the Approval field, click the lookup icon to select the level(s) at which the approval should be set, for example, System owner or Context owner. You can select one or more levels that can approve.
  7. Optionally, in the Provisioner field, click the lookup icon to see a list of identities and, from there, choose an identity to be the provisioner. You can only choose one identity to be the provisioner for each resource folder.
  8. Optionally, in the Account types field, click the lookup icon to select one or more account types for which the resources in the folder are relevant. Note that this setting may be overridden at the individual resource level. Click OK to save the new resource folder and close the dialog box.
  9. Optionally, in the Classifications field, click the lookup icon to see a list of classification tags. Here, you can select a classification for the created resource folder.

For a full list of resource folder settings, see Resource folders (Data model).

Add new resource: general settings

  1. To add a new resource type, click New in the Resources overview. In the New Resource dialog that opens, type a unique ResourceID for the resource type. You can only use capital letters.
  2. Type a unique Name for the resource.
  3. Optionally, type a Description for the resource. This can also be powered by the AI Description Optimizer (Technical Preview feature) if enabled.
  4. In the Resource type field, click the lookup icon to select a resource type to associate with the resource. You can only select one resource type.
  5. In the System field, click the lookup icon to open the System dialog. Here, you can select a system to associate with the resource. You can only select one system.
  6. In the Resource folder field, click the lookup icon to select a resource folder to associate with the resource. You can only select one resource folder.
  7. The Effective owner field is read-only. This property is populated with the effective owner by Role and Policy Engine based on the users and user groups added to the Manual owner field.
  8. In the Manual owners field, click the lookup icon to select one or more owners of the resource.
  9. The Business key field allows you to add a business key for the created resource.
  10. Optionally, select one or more of the available checkboxes to specify a Classification for the resource. You can choose between Business Critical, System administration, and Privileged access.

Add new resource: Fulfillment

  1. Optionally, in the Provisioning depends on the field, click the lookup icon to select a different resource in order to delay the provisioning process for the new resource until that specific resource has been provisioned.
  2. To enable skipping of provisioning of assignments for this resource, select the Skip Provisioning checkbox. This setting is not enabled by default.

Add new resource: Status and validity

  1. In the Resource status menu, choose a status for the resource if this is relevant for you. You can choose: Inactive, Active, Obsolete, Disabled.
  2. In the fields Valid from and Valid to, select a relevant period of time for the resource to be valid if you want to limit the time when the resource is available.

Add new resource: Advanced

  1. In the Prevent self-service dropdown select Yes if you do not want this resource to be available for self-service access requests.
  2. In the Account types field choose one or more account types for which the resource should be available. If you do not specify anything, account types are inherited from the resource folder.
  3. In the Business processes use the lookup icon to select business processes that the resource is used in. The information is used for defining Segregation of Duties constraints on the business process level.
  4. The Risk score and Risk level field provide information about the risk a given resource pose. The risk score of a permission resource is calculated as: RiskScore(permission) = RiskScore(permission's system) + sum(max(RiskScore(permission's tags per category))). The risk score of a "role" resource is calculated as: RiskScore(role) = max(RiskScore(role's children))). The risk level is derived from the risk score.
  5. In the Policy and risk checks field, you can choose checks that should be executed for this resource.

For a full list of resource settings, see Resource properties (Data model).

For information on the AI Description Optimizer (Technical Preview feature), see AI Description Optimizer for resources (Data model).

Migrating resource types and ODW extension attributes

This section outlines the requirements for migrating resource types and their associated ODW extension attributes between systems.

To ensure a successful migration, the following requirements must be met:

  • Include extension attributes in the changeset:

    • The history tracking process does not automatically create extension attributes.
    • If an extension attribute is not included, it will not be created in the target system and cannot be applied during import.

  • Ensure referenced attributes exist with matching UIDs:

    • UID consistency - any attribute referenced by an extension attribute must already exist in the target system.
    • The referenced attribute must have the same UID as in the source system.
    • If the attribute is missing or the UID does not match, the extension attribute cannot be resolved, which may result in import failures or invalid references.

Adhering to these requirements ensures that resource types and their extension attributes are imported correctly and behave consistently in the target system.