Unresolved identity
In Omada Identity, all accounts should be associated with an identity.
This rule does not apply to technical identities. They will be described in the Technical users in Omada Identity (Governance enabled) section below.
If an account is not related to an identity, it is typically considered an orphan account. Orphan accounts are accounts without any owner or manager. This can occur, for example, when an employee leaves the company but their account is not deleted.
To handle orphan accounts, the system offers the Unresolved identity feature.
The Unresolved identity is a special built-in identity assigned by Omada as the owner of all accounts that cannot be paired with an identity through account join rules, and have not been paired with an identity through an account ownership survey.
The Unresolved identity is not a regular identity, and because of that, it has special features:
- The account type model does not apply to it. This means that such an identity is not limited to having only one account assignment per system per account type.
- RoPE treats the Unresolved identity differently to the regular identities. You can find full information in the Irregular identities section of RoPE – Accounts.
The Unresolved identity is assigned to all orphan accounts as well as all permissions for orphan accounts in the Governance for Omada Identity feature.
Once you have calculated the Unresolved identity, you can initiate the Account Ownership review survey to validate the system's compliance. The survey helps to assign orphan accounts to an identity and validate that there are no orphan accounts and unapproved assignments. If the system remains uncompliant, appropriate assignment policies and access requests can be created to achieve the desired state.
Technical users in Omada Identity (Governance enabled)
In Omada Identity, there are some special accounts that are not considered orphan accounts if Governance for Omada Identity is enabled and they are not related to an identity. For example, the Omada service user or the Administrator are technical user accounts that are created automatically during the installation of the Omada Identity solution. They are used by the system to perform various tasks such as managing system settings, running scheduled tasks, and communicating with external systems.
As those accounts are not considered orphan accounts (despite not being associated with an identity), the system is designed to handle those accounts separately from regular user accounts, so they are not included in the Unresolved identity calculations or the Account Ownership review survey.
Configuration
The behavior for the Unresolved identity can be configured in the RoPE configuration file:
-
Skip queuing unresolved
The
skipQueuingUnresolvedsetting is a configuration option that controls whether the Unresolved identity should be queued for calculation or not. If this setting is set to True, the RoPE instance will skip queuing the Unresolved identity due to master data changes or due to periodic queuing. Check the Performance risks section for more information about why this setting can be useful. -
RoPE extension
RoPE has a specific extension to configure the attributes that can be updated for the Unresolved identity. It is the
Unresolved identity account attribute removerextension, and it is useful when you want to prevent certain attributes from being updated for this special identity. You can find full information about this extension in the Unresolved identity account attribute remover section of RoPE – Standard extensions.
Performance risks
There are potential performance risks associated with calculating the Unresolved identity, especially if there are many orphan accounts and assignments. If this is the case, the operation may result in a prolonged time of calculations or, in the worst case scenario, it may prevent other calculations from being completed.
To avoid this, there are some configurations that can be made to improve the performance and/or avoid this issue in RoPE:
-
Skip queuing unresolved
In the RoPE configuration file, there is a setting called
skipQueuingUnresolvedthat controls whether the Unresolved identity should be queued for calculation or not. By settingskipQueuingUnresolvedto True, you can avoid this potentially time-consuming calculation and improve the performance of the RoPE. -
Distribute the workload across RoPE instances
If there are three or more RoPE instances, it is possible to nominate one of the instances to be responsible for calculating the Unresolved identity. The low priority instance should have
calculateUnresolvedset to True and the other to False. See a full configuration example in the Distribute the workload across RoPE instances section of RoPE – Queuing.