You can control the consequences of granting or revoking an entitlement. Each driver provides a list of supported choices that control the meaning of "add" or "remove."
For example, when adding a GroupWise account, you could specify that add actually means to grant the user an account in a disabled state, so that the administrator must intervene before the user can access the account. Or, you could choose to enable the account, which is the default.
By default, the driver configurations use the option that is most likely to preserve data. For example, the default meaning of remove for a GroupWise account is set to "disable," to avoid unintentionally losing accounts if a mistake is made when the administrator is making changes to policies. As another example, the DirXML driver configurations don't remove entitlements that have values from a user account in another system. If a user is granted membership in an e-mail distribution list, and if later the user no longer meets the criteria for the Entitlement Policy, he or she is simply dropped from the policy membership. Accounts are disabled, but group membership and attribute values are not removed. An Identity Manager expert could customize the driver configurations if you wanted a different result.
The interpretation of removing an entitlement is especially important because Role-Based Entitlements functionality gives you the ability to make sweeping changes in an organization's entitlements in a production environment, without testing the results in a lab.
You can change the settings for interpreting add or remove by clicking the account entitlement on the Entitlements page in Entitlement Policy. The page that appears lets you edit the global configuration values, which are part of the driver parameters. Keep in mind that although you can edit the interpretation settings on the Entitlement page for an individual Entitlement Policy, the change affects all Entitlement Policies that grant that particular entitlement from that particular DirXML driver and connected system, not just the Entitlement Policy you were editing when you made the change. The settings are per entitlement and driver, not per Entitlement Policy.
See also Conflict Resolution between Entitlement Policies.
In the Identity Manager 2 driver configurations, interpretive variables are used only on account entitlements. However, you could configure the driver to have interpretive variables for other types of entitlements.
NOTE: The actions that a driver supports are declared in the driver manifest. The manifest is created by the driver developer to represent the capability of the driver configuration. These options should not be edited by a network administrator. Changing the driver manifest alone does not cause the driver to support a new interpretation; the driver or connected system needs to be enhanced as well.