Duplicate assignments
RoPE only allows an identity to have a single CRA per system/resource/account name combination. Therefore, if an identity has two assignments for the same resource, RoPE merges them into one. An identity can, for example, have two assignments if there are two assignment policies that assign the same resource to it.
When RoPE merges two CRAs the following happens:
- The earliest Valid From is used
- The latest Valid To is used
- If one of the CRAs is enabled, so is the result
- The attribute values are merged together
You can specify a differentiator for a CPRA in a custom RoPE extension. By doing that, it can be allowed that an identity has more than one CPRA per system/ resource/account name combination.
Differentiator concept
A calculated assignment can have a differentiator value, used (if present) to prevent that the assignment is merged with other calculated assignments that the identity has for the same system/resource/account name combination.
The reason for using the differentiator concept is that certain target systems allow the users/accounts to be assigned to the same resource multiple times. This is typically seen in systems that make use of attributes.
In a quality management system, there is a role named View product information. When the role is assigned to a user, additional information is specified which defines that the user can view information about a specific product.
The quality management system allows a user to have multiple assignments for the View product information role, each specifying different products.
In order for RoPE to represent this, you can apply the differentiator concept to prevent RoPE from merging multiple assignments for the View product information role.
To configure the standard Differentiator extension, refer to the Differentiator extension section in the RoPE Configuration Guide.