Assignment attributes
Calculated resource assignments, both CARAs and CPRAs, can have attribute values. The use of attributes typically falls in one of the following categories:
| Attribute category | Description |
|---|---|
| Account fields | For example, Email address or Mailbox limit, required by the target system. |
| Role parameters | For example, Approval amount limit. This category is used to add additional information for an assignment of, for example, an ERP role such as Approve purchase order to an identity. Role parameters can only be used when supported by the target system. |
| Information attributes | These attributes hold information that is only relevant inside and are not provisioned to the target system. An example could be Compliance status. |
The set of allowed attributes for a CRA is dictated by the attribute set that is specified on the resource type in the . An attribute definition is merely a wrapper for a property. In the RoPE's calculation data, an attribute is represented by the system name of the property, as opposed to the name of the attribute definition itself.
A RoPE assignment attribute has one of the following data types:
- Boolean
- DateTime
- Integer
- String
- Reference
The data type of a RoPE assignment attribute is imposed by the type of property, as described in the table below.
Note that not all types of properties are supported. A RoPE assignment attribute is always a multi-value attribute, regardless of whether the property supports multiple values or not.
| Property | RoPE attribute data type |
|---|---|
| Value property, data type Text | String |
| Value property, data type Integer | Integer |
| Value property, data type DateTime | DateTime |
| Value property, data type Decimal | Not supported |
| Value property, data type Boolean | Boolean |
| Value property, data type Hyperlink | Not supported |
| Value property, data type TimeSpan | Not supported |
| Value property, data type MultiLangText | Not supported |
| Value property, data type XML | Not supported |
| Reference property | String or Reference |
| Set property | String |
A reference property maps to either a string or a reference attribute. By default, it maps to a string attribute. You can change this by configuring the RoPE: Reference attributes customer setting.
An assignment attribute is only saved and stored if it has a value. If it does not have a value but had one at some point in the past, it is saved in all future calculations in order for RoPE to provide a proper delta for the provisioning layer.
Attribute values are automatically assigned from the involved objects of an assignment. If, for example, an attribute that is legal for a CRA is present in the Identity data object, then the value of the identity is assigned to the CRA. Assignments that only have an actual state are only assigned attribute values from the Data Warehouse.
The screen for configuring an attribute is shown below. You should only use a property as Definition for a single attribute. You should never specify a property system name on multiple attributes.
Use the Reference value format in the Access Request process to format a string value based on the data objects(s) that the user selects. The reference value format is only in use when the definition property is a reference property that maps to an attribute of the data type string. It is not in use if the definition property is a reference property that maps to an attribute of the data type reference.
