Compliance status
RoPE calculates a compliance status for all calculated assignments. The compliance status indicates if an assignment is under control, meaning that it has been either explicitly or implicitly approved. The compliance status is visible in all places where RoPE calculated assignments are shown, including the Omada Identity Data Warehouse reports.
The table below gives an overview of the compliance status values:
| Status | Description |
|---|---|
| Explicitly Approved | CRA is the outcome of a direct assignment, it has been approved in a verdict survey, or it inherits the status from the assignment for the role in which it is contained. |
| Implicitly Approved | CRA is the outcome of an assignment policy or it is a child of an assigned enterprise role. |
| Not Approved | CRA only exists in the target system. There is no desired state for it. |
| Orphan Assignment | CRA belongs to the unresolved identity or the Data Warehouse is uncertain of its ownership. |
| Pending Deprovisioning | CRA awaits to be deprovisioned. |
| In Violation | CRA violates a constraint which, however, has not caused it to be disabled because a pending evaluation procedure exists for the violation. Note: For limitations on how auto accounts are handled during constraint evaluation, see the Constraint evaluation note under the table. |
| Implicitly Assigned | An implicitly assigned enterprise or application role, which is not in violation of the defined policies. Implicit assignments are created for enterprise and application roles if RoPE detects that an identity is assigned to all the contents of the role – but not the role itself. This is to allow SoD constraints to be defined on the enterprise or application role level, as well as to enable easier reviews. |
| None | Cannot express a meaningful compliance status for the assignment. For example, a CRA that is disabled, and has no actual state reasons, has the status None because it is irrelevant from the compliance perspective. |
Constraint evaluation is the final step in the RoPE calculation process before the results are saved. It is performed only after all assignments (including auto account assignments) have been added to the calculated assignments.
During this step, the system checks for child assignments of those in violation. However, it does not evaluate auto account assignments that were added as a result of resource assignments.
A potential workaround is to make the account assignment a child resource of the resource that has constraints, though this can cause issues if other resources depend on the same account.
As a general rule, however, the current RoPE design does not support disabling auto account resources when their associated resources violate constraints.