AssignmentType (Complex Type)

Items

• description

  Flags: RAM,runtime

  Multiplicity: [0,1]

• extension

  Flags: dyn,RAM,runtime

  Multiplicity: [0,1]

  The assignment extension used to add parameters to the assignment.

• lifecycleState

  Flags: RAM,runtime

  Multiplicity: [0,1]

  Lifecycle state of the assignment. This property defines whether the assignment represents a draft, proposed definition, whether it is active, deprecated, and so on.

  There are few pre-defined lifecycle states. But custom lifecycle states may also be defined. Pre-defined lifecycle states are:

  • draft: Definition of the assignment in progress. The assignment is NOT active. The definition may change at any moment. It is not ready yet.
  • proposed: Definition of a new assignment is ready for use, but there is still a review process to be applied (e.g. approval). The assignment is NOT active. However the definition should not change in this state. This is the state applied to requested and not yet approved assignments.
  • active: Active and working definition.
  • deprecated: Active definition which is being phased out. The definition is still fully operational. But it should be replaced by a new assignment.
  • archived: Inactive historical definition. It is no longer used. It is maintained only for historical, auditing and sentimental reasons.
  • failed: Unexpected error has occured during assignment lifecycle. Result of that event is that the assignment is rendered inactive. The situation cannot be automatically remedied. Manual action is needed.

• metadata

  Flags: RAM,runtime,oper

  Multiplicity: [0,1]

  Meta-data about data creation, modification, etc. It may apply to objects but also parts of the object (e.g. assignments).

  Meta-data only apply to successful operations. That is obvious for create, but it also applies to modify. For obvious reasons there are no metadata about delete. We keep no metadata about reading. That would be a huge performance hit.

  Meta-data only describe the last operation of its kind. E.g. there is a record of last modification, last approval, etc. There is no history. The last operation overwrites data about the previous operation.

  These data are informational only. They should not be used for security purposes (use auditing subsystem for that). But presence of metadata simplifies system administration and may provide some basic information "at the glance" which may be later confirmed by the audit logs.

  Meta-data are also supposed to be searchable. Therefore they may be used to quickly find "candidate" objects for a closer examination.

• targetRef

  Flags: RAM

  Multiplicity: [0,1]

  Target of assignment or inducement. This is the role, org or service that is assigned.

• construction

  Flags: RAM,runtime

  Multiplicity: [0,1]

  Projection construction. This structure defines how a projection (e.g. account) should be constructed.

• personaConstruction

  Flags: RAM,runtime

  Multiplicity: [0,1]

  Persona construction. This structure defines how a persona (e.g. virtual identity) should be constructed.

• focusMappings

  Flags: RAM,runtime

  Multiplicity: [0,1]

  Set of mappings that are applied to a focus in addition to object template.

• policyRule

  Flags: RAM,runtime

  Multiplicity: [0,1]

  Policy rule that should be applied to the target object.

• activation

  Flags: RAM,runtime

  Multiplicity: [0,1]

  Type that defines activation properties. Determines whether something is active (and working) or inactive (e.g. disabled).

  It applies to several object types. It may apply to user, account, assignement, etc. The data in this type define if the described concept is active, from when it is active and until when. The "active" means that it works. If something is not active, it should not work or not cause any effect. E.g. inactive user should not be able to log in or run any tasks, the non-active role should not be assigned and if assigned it should not be taken into account when computing the accounts.

• order

  Flags: RAM,runtime

  Multiplicity: [0,1]

  Order of the inducement. Simply speaking order specifies the number of assignments that the evaluation must traverse to apply the inducement. The high-order inducements are used in meta-roles. These high-order inducements apply to the object that is assigned to the role instead of meta-role. This property specifies the summary order. This is a sum of all the (non-delegation) assignments along the assignment path. More precise control over the order can be achieved by using the orderConstraints. If not specified and no orderConstraints are specified then the values of 1 is assumed.

• orderConstraint

  Flags: RAM,runtime

  Multiplicity: [0,-1]

  Constraint that defines the range of "orders" and relations when this assignment/inducement should be applied.

• limitTargetContent

  Flags: RAM,runtime

  Multiplicity: [0,1]

  Limitations that selects only some assignments/inducements from the target. It may be used to incorporate only a part of the subrole in the role hierarchy. But it is most frequently used to limit the scope of a delegation to the deputy. It not specified, no limitations of this kind take place.

• limitOtherPrivileges

  Flags: RAM,runtime

  Multiplicity: [0,1]

  Limitations related to other privileges, like the ability to complete work items. If not specified, no limitations of this kind take place.

• focusType

  Flags: RAM,runtime

  Multiplicity: [0,1]

  Type of focal object that this assingnment/inducement applies to. E.g UserType, RoleType, OrgType, ...

• tenantRef

  Flags: RAM

  Multiplicity: [0,1]

  Reference to the tenant which this assignment is associated with. This is an argument to the target of this assignment. E.g. is if frequently used to parametrize the role which is assigned by this assignment. However the exact interpretation of this value depends on the logic of the target role. It may be significant or it may be entirely ignored.

• orgRef

  Flags: RAM

  Multiplicity: [0,1]

  Reference to the organization (org. unit, project, ...) which this assignment is associated with. This is an argument to the target of this assignment. E.g. is if frequently used to parametrize the role which is assigned by this assignment. However the exact interpretation of this value depends on the logic of the target role. It may be significant or it may be entirely ignored.

• condition

  Flags: RAM,runtime

  Multiplicity: [0,1]

  The assignment is applied only if the condition is evaluated to true. If condition is not present, it is assumed to be true.

• policySituation

  Flags: RAM,runtime,oper

  Multiplicity: [0,-1]

  The policy situation(s) of this assignment. The situations are result of evaluation of the policy rules. This property is recorded for each assignment and can be used for reporting, diagnostics, target selection in certification campaigns, etc.

• trigger

  Flags: RAM,runtime,oper

  Multiplicity: [0,-1]

  DEPRECATED. DO NOT USE.

• triggeredPolicyRule

  Flags: RAM,runtime,oper

  Multiplicity: [0,-1]

  Triggered policy rules for this assignment. (Not necessarily complete; subject to specified storage strategy.) This is EXPERIMENTAL functionality. It is possibly to change in the near future.

• policyException

  Flags: RAM,runtime

  Multiplicity: [0,-1]

  Recorded exception from a policy rule. The exceptions that are approved are recoded here to avoid re-evaluating and re-approving them all the time. This is EXPERIMENTAL functionality. It is likely to change in the near future.