Validity period and disabled status
RoPE calculates a validity period and disabled status for all CRAs.
Outside the validity period (measured from the time of calculation of the identity), the CRA is always disabled. However, when it's within the validity period, it can be enabled or disabled.
Deriving a validity period and disabled status
RoPE calculates the validity period for a CRA based on the objects that are involved in its creation. The involved objects always include the identity to which the CRA belongs to and the resource being assigned. More objects may be involved, depending on the reason for the assignment. Some involved objects have a validity period and some have an explicit setting indicating that they should be regarded as disabled.
RoPE narrows down the validity period by using the largest valid from and the smallest valid to of the involved objects. Similarly, it narrows down the disabled status. If at least one of the involved objects is disabled, then the CRA is disabled as well.
If an identity is not active and the resource for which we are calculating validity is an account resource, the validity of any other objects involved in the resource validity calculation will be disregarded if they do not intersect with the identity's validity period.
If RoPE calculates a CRA and the current time is outside the validity period of the CRA, that is, before the validity period starts or after the validity period ends, then, the CRA is disabled or completely disregarded. This means that the CRA will be omitted from the calculation result. Inside the validity period, the CRA can be either enabled or disabled.
Objects involved in all CRAs:
- Identity - derived from the
Identity.IDENTITYSTATUSproperty. Disabled if the identity status is Terminated, Disabled, or Locked. - Resource - derived from the
Resource.RESOURCESTATUSproperty. Disabled if the resource status is Disabled or Deleted.
Based on the reason for an assignment, additional objects can be involved:
| Reason | Additional involved object | Validity period | Disabled state |
|---|---|---|---|
| Direct | ResourceAssignment | Yes | Yes - derived from the ResourceAssignment.ROLEASSNSTATUS property. Disabled if the resource assignment status is Disabled, Locked, or Obsolete. |
| Policy | AssignmentPolicy | Yes | No |
| Direct, Policy | Context - for a CRA that is created due to an access request, the selected business context (if available) is considered. For a CRA that is created due to an assignment policy, the scoped business context(s) are considered (if available). | Yes | No |
| ChildResource, ImplicitChild | ParentAssignment | No | No |
| ActualDirect, ActualIndirect | ActualAssignment | Yes | Yes |
| UnconfirmedActual | ProvisioningClaim | Yes | Yes |
| ReviewOK | ApprovedAssignment | Yes | No |
If the reason for an assignment is either Direct or Policy, the membership period of the business context for the identity that was selected in the access request or used to scope the policy with is considered as well.
Validity inheriting scenario
RoPE calculates the Validity period of a CRA based on the Validity periods of all the objects involved in the creation of this CRA.
For a single CRA, the validity period will be derived from the common part of the validity periods of the objects involved in it, for example, for a CRA that is the outcome of an access request, these objects are: the Identity, the requested Resource and the ResourceAssignment.
In the above example, the validity period of the CRA is from April 1, 2017 to May 31, 2017, because the largest Valid from date, April 1, is inherited from the Resource , while the smallest Valid to date, May 31, is derived from the Resource Assignment.
If an identity has two or more CRAs for the same resource, then RoPE merges them together during the calculation of the identity. When this happens, RoPE uses the earliest of the ValidTo dates and the latest of the ValidFrom dates on the merged CRA.
The following timeline illustrates how the validity period is computed when two CRAs are merged together:
In the example above, the validity period of the CRA is from March 1, 2017 to June 30, 2017, because both Assignment Policy and Resource Assignment are valid reasons for the CRA.
Both Assignment Policy and Resource Assignment validity periods fall inside the validity period of the Identity, so the validity of the CRA is not limited by the Identity's validity.