13.5 Managing Entitlements

After you create entitlements (or use entitlements that come preconfigured with certain Identity Manager drivers), you need to manage them. Entitlements are tied into the eDirectory event system and granting and revoking are initiated through two agents:

Role-Based Entitlements allow you to automatically grant or revoke business resources if the criteria are met. In order for workflow entitlements to work with the User Application, manual approval is first required.

For instance, you can specify that if user has A, B, and C, then the user is made a member of Group H; but if the user has E and F qualifications, he or she is made a member of Group I. Through Role-Based Entitlements, this action is done automatically, as long as the conditions are met. In order for this entitlement to work with workflow entitlements, the User object must first acquire approval, which you need to set up through the User Application. However, if you do not add to the driver the policies and rules to interpret the event in the designated system, granting and revoking entitlements has no effect.

Use either Role-Based Entitlements or workflow entitlements; it is a not good idea to mix them to manage the same resource. We recommend that you have only one agent control an entitlement. If multiple agents are in control, you have the following consequences: