12.1 How Entitlements Work

The following diagram shows the basic entitlement process.

Figure 12-1 Basic Overview of Entitlements

  1. An entitlement agent grants an entitlement to a user. There are three ways that entitlements are granted to a user:

    • Role-Based Entitlements: The Entitlements Service driver grants the entitlement based on criteria that places the user in a particular role (or group). This criteria can be based on any event that occurs in the Identity Vault. For example, adding a new employee in an HR system causes a User object to be created in the Identity Vault. Creation of the new User object is the criterion that causes the Entitlements Service driver to grant the Active Directory User Account entitlement to the user.

      To create role-based entitlements in Designer, see Section 12.3, Creating Entitlements through the Entitlement Wizard.

    • User Application Role Based Provisioning: The user receives a role assignment through the User Application. The User Application’s Role Service driver grants the user any entitlements associated with the new role. For example, a user is assigned an Accountant role that requires access to the Accounting group in Active Directory. The Role Service driver grants the Active Directory Group Membership entitlement to the user.

      To create entitlements for role based provisioning, use the Role editor. See “Specifying Entitlements” under Using the Role Editor.

    • User Application Workflow-Based Provisioning A provisioning workflow grants the entitlement to the user. For example, a new employee is added to the HR system, which causes a User object to be created in the Identity Vault. Creation of the new User object initiates a workflow that grants the Active Directory User Account entitlement to the user.

      Creating entitlements to use with workflow-based provisioning is an involved process. To get you started, see Configuring Provisioning Request Definitions

  2. When an entitlement is added to or removed from a user’s DirXML-EntitlementRef attribute, any entitlement-enabled drivers begin to process the event. Only drivers that have the DirXML-EntitlementRef attribute added to their Subscriber channel filter monitor users for entitlement changes.

  3. The driver processes the entitlement event against the Subscriber channel policies. If the entitlement event is for an entitlement that applies to the driver, the policies are processed. Otherwise, no processing occurs. In the above diagram, the Grant User Account policy is processed because 1) the Active Directory User Account entitlement was added to the user’s DirXML-EntitlementRef attribute and 2) the User Account entitlement is defined on the Active Directory driver. Likewise, if the Active Directory User Account entitlement is later removed from the user’s DirXML-EntitlementRef attribute, the Revoke User Account policy is processed.

  4. The policies trigger the granting or revoking of access to the entitled resource. In the above diagram, the Grant User Account policy triggers the creation of a user account in Active Directory.