Skip to main content
Version: Cloud

Provisioning status

When RoPE processes an identity, it computes a provisioning status for each of the identity’s account- and permission assignments.

The provisioning status of an assignment is used by RoPE to determine if it should issue a new provisioning job (either as a manual provisioning task or as an OPS task) in order to align the desired and the actual state of it.

RoPE assigns a Provisioning status to each calculated assignment that is stored in the ProvisioningStatus attribute.

The provisioning status is derived from the assignment reasons of the calculated resource assignment, each of which is associated with either the desired state or the actual state. Also, an assignment's attribute values and whether or not the assignment is disabled can affect the status.

Provisioning status values

The provisioning status can have one of the values listed below:

OK (OK)

No provisioning/deprovisioning/update needs to take place, and we have received a confirmation from the Warehouse (if applicable) that it is in fact so.

For an assignment to be OK, one or more of the following must be true:

  • The assignment in the target system corresponds to how it appears in Omada Identity (it has a desired state as well as an actual state reason). This state includes attribute values relevant for provisioning - if attribute reconciliation is enabled on the resource type.
  • The assignment is for an application role or enterprise role, and all its child resources are OK.
  • Provisioning is not enabled because the system (which the resource belongs to) is configured with Provisioning Type None or the assigned resource is configured to skip provisioning.
  • The assignment is an account that would otherwise be Pending Deprovisioning (because it is "managed" and doesn't have a desired state reason), but because the system doesn't support account deletion, and the account is disabled in the target system, the status instead becomes OK.
  • In cases where there was no direct reason, and a provisioning claim has a status other than Done.
  • In cases where there was no direct reason, solely based on the presence of a Deprovisioning Failed claim.

Pending Provisioning (PendingProv)

The assignment is pending being provisioned (created) in the target system.

For an assignment to be Pending Provisioning, one or more of the following must be true:

  • The assignment is not represented in the Warehouse, and there is no provisioning claim for it.
  • The assignment must not depend on (and wait for) another assignment to be provisioned first.

Also, the following may be true:

  • The assignment is for an application role or enterprise role, and one or more of its child resources is Pending Provisioning.

Pending Update (PendingUpdate)

The assignment is pending being updated in the target system. An update could, for example, have the purpose of changing the disabled state of an account in the target system.

For an assignment to be Pending Update, one or more of the following must be true:

  • The value of a mapped attribute relevant for provisioning differs between Omada Identity and the target system representation (in the Warehouse or a recent provisioning claim). Attribute reconciliation must be enabled on the resource type.
  • The value of an unmapped attribute relevant for provisioning has changed in Omada Identity (compared to the previous computation) (and attribute reconciliation is enabled on the resource type).
  • The disabled flag of the assignment differs between Omada Identity and the target system.
  • The assignment is an account that would otherwise be Pending Deprovisioning (because it is "managed" and doesn't have the desired state reason), but because the system doesn't support account deletion, and the account is enabled in the target system, then the status instead becomes Pending Update.

Pending Deprovisioning (PendingDeprov)

The assignment is pending being deprovisioned (deleted) in the target system.

For an assignment to be Pending Deprovisioning, all the following must be true:

  • The assignment must be represented in the Warehouse, or a provisioning claim for it must exist.
  • The assignment must not depend on (and wait for) another assignment to be deprovisioned first.
  • If the assignment is an account, then the system must support the deletion of accounts.

Also, the following may be true:

  • The assignment is for a permission, and it is disabled in Omada Identity.
  • The assignment is an account, and it has been removed in a survey.
  • The assignment is "managed," and it doesn't have a desired state reason.
  • The assignment is for an application role or enterprise role, and one or more of its child resources is Pending Deprovisioning.

OK (Pending Confirmation) (OKPendingConfirmation)

No provisioning/deprovisioning/update needs to take place. However, we have not received a confirmation yet (from the Warehouse) that it has taken place.

For an assignment to be OK (Pending Confirmation):

  • Omada Identity has concluded that no provisioning/deprovisioning/update needs to take place in the target system. However, RoPE hasn't yet received a confirmation (from the Warehouse) that it has taken place.
  • Also, Omada Identity is configured to await fulfillment confirmation from the Warehouse.
  • If the assignment is for an application role or enterprise role, then the status means that one or more of its child resources are OK (Pending Confirmation).
note

This state can be skipped in the flow under certain circumstances: for example, if you disable provisioning for a resource data object, the provisioning status will be directly set to OK, or, for instance, if a provisioning task fails because the object already exists in the target system, the status will be set to Failed before changing to OK after the next import.

Relayed (Relayed)

Provisioning has been relayed to an external ITSM (or similar) system. We are awaiting a confirmation that it has been completed.

For an assignment to be Relayed:

  • The assignment is not represented in the Warehouse.
  • The assignment must not depend on (and wait for) another assignment to be provisioned first.
  • The assignment is picked by the relay connector and sent to an external system for provisioning.

Failed (Failed)

Provisioning could not be completed due to, for example, a licensing issue or long-lasting network outage.

For the assignment to be Failed:

  • The assignment is picked by the relay connector and sent to an external system for provisioning.

Also, one or more of the following must be true:

  • The external provisioning system refused to perform the assignment.
  • The Omada Identity has not received the confirmation from the external provisioning system that the assignment was completed.
  • After several retries, the OPS was unable to perform an assignment.

Delayed Provisioning (DelayedProv)

Assignment should be provisioned, but it is delayed because another assignment needs to be provisioned first.

For an assignment to be Delayed Provisioning, the following must be true:

  • The assignment meets the requirements for the Pending Provisioning status.

Also, one or more of the following must be true:

  • The assignment is for a permission resource, and it belongs to an account that has not yet been provisioned.
  • The assignment is for a resource that depends on the provisioning of another resource.

Delayed Deprovisioning (DelayedDeprov)

Assignment should be deprovisioned, but it is delayed because another assignment needs to be deprovisioned first.

For an assignment to be Delayed Deprovisioning all of the following must be true:

  • The assignment meets the requirements for the Pending Deprovisioning status.
  • The assignment is for a resource that depends on the deprovisioning of another resource.

Pending Deprovisioning Confirmation (PendingDeprovConfirmation)

The assignment is claimed to have been deprovisioned (deleted), but we have not received a confirmation of it from the Warehouse yet.

For an assignment to be Pending Deprovisioning Confirmation, all of the following must be true:

  • A deprovisioning claim has been issued.
  • It has not yet been confirmed by a Warehouse import that the assignment has been deprovisioned in the target system.

Deprovisioning Failed (DeprovFailed)

Deprovisioning could not be completed due to, for example, a long-lasting network outage.

For an assignment to be Deprovisioning Failed, all of the following must be true:

  • The assignment must be represented in the Warehouse or, a provisioning claim for it must exist.
  • The assignment must not depend on (and wait for) another assignment to be deprovisioned first.
  • If the assignment is an account, then the system must support the deletion of accounts.

Also, one of the following must be true:

  • The Omada Identity has not received the confirmation from the external provisioning system that the deprovisioning was completed.
  • After several retries, the OPS was unable to perform deprovisioning.

Moreover, the following may be true:

  • The assignment is for permission, and it is disabled in Omada Identity
  • The assignment is an account, and it has been removed in a survey
  • The assignment is "managed," and it doesn't have a desired state reason.

? (NotSet)

This provisioning status value is only used temporarily during computation and should never be assigned to an assignment.

Factors affecting the provisioning status

Several configuration settings affect the computation of the provisioning status of an assignment. Click on each factor to learn how it affects the provisioning status.

Enable provisioning on the system level

On a System data object, the type of provisioning can be selected for account assignments and permission assignments. If the provisioning type is None, then the provisioning status for assignments to resources belonging to the system will always be OK.

System support for deletion of accounts

On a System data object, it can be indicated that the target system does not support deletion of accounts. If the Account deletion unsupported option is turned on, the provisioning status for assignments to resources belonging to the system will never be Pending Deprovisioning.

Attribute level reconciliation

On a Resource Type data object, it can be configured to Reconcile on attribute level. The setting is used together with the Reconciliation attributes map setting.

When the Reconciliation option is applied, RoPE will compare the attribute values in the target system (as they are represented in the Omada Identity Warehouse or a provisioning claim) with the desired attribute values in Omada Identity (by using the Reconciliation attributes map). If there is a discrepancy, the assignment will get the status Pending Update.

Managed vs. unmanaged assignments

RoPE considers an assignment as being managed if either:

  • It is indicated on the resource type that all assignments are managed, OR
  • The assignment has (or used to have - in any previous calculation) at least one desired state assignment reason.

Being managed means that an assignment will be deprovisioned if, at some point, it has no desired state reason.

Omit provisioning and dependent provisioning on individual resources

On a Resource data object, it can be configured that assignments to the resource should never be provisioned by ticking the Skip provisioning checkbox. When ticked, the provisioning status for assignments to the resource will always be OK.

This configuration may be useful, for example, in the case of Domain Users within Active Directory system that is managed by the Active Directory itself.

Resource data objects and Resource folder data objects include a setting called Provisioning depends on that refers to a resource. CRAs to the first resource depend on the provisioning of the referred resource.

CRAs whose provisioning depends on another resource are not provisioned until the referred resource has been provisioned.

If both the resource data object and the resource folder data object refer to a resource in the Provisioning depends on property, the value of the resource data object overrules the value of the Resource folder.

Await fulfillment confirmation from the Warehouse?

A customer setting controls whether RoPE should await a fulfillment confirmation from the Warehouse before setting the provisioning status to OK. If so then the provisioning status for an assignment will be OK (Pending Confirmation) until a Warehouse import confirms the fulfillment.

Claim expiration times

On a System data object, the time of provisioning claims can be set for account assignments and permission assignments. This time defines how long RoPE waits before issuing a new provisioning task to mitigate the differences between the actual and desired states, that is before RoPE performs the reconciliation.

If a system is using Relayed provisioning, the time of provisioning claim expiration should be set for a number of days that is higher than the default 2 days, for example, 10 days, to allow the external provisioning system to complete the task and send a response to Omada Identity.

If the provisioning claim has the status Failed, a separate expiration time should be set. By default, failed provisioning claims should never expire, which means the time should be set to -1.

You can also set value -1 to non-failed provisioning claims so that the claim never expires. The value of -1 should be used in offline systems where you do not expect further updates on the assignment from the warehouse. In addition, the provisioning status of such an assignment is set to OK instead of OK (Pending Confirmation).

info

The provisioning status for an application role or enterprise role assignment is affected by the provisioning status of its child resource assignments:

  • If the role has a child resource assignment with the status Pending Provisioning (and the role assignment is not disabled), then the status of the role becomes Pending Provisioning.
  • Else, if the role has a child resource assignment with the status Pending Deprovisioning (and the role assignment is disabled), then the status of the role becomes Pending Deprovisioning.
  • Else, if the role has a child resource assignment with status OK (Pending Confirmation), then the status of the role becomes OK (Pending Confirmation).

Inspection of provisioning status of an assignment

The provisioning status of an assignment can, for example, be inspected in the Calculated assignments explorer in the Omada Identity portal (see below).

The status is stored in the attribute named PROVISSTATUS. The PROVISSTATUS only has a value if the ProvisioningStatusCalculator RoPE extension is applied (which is by default). It should be noted that even if the extension is not applied then RoPE still internally computes status values when it needs to determine if provisioning tasks need to be created.