Novell Documentation: Nsure Identity Manager 2.0

Creating Entitlement Policies

To create an Entitlement Policy, you can use the wizard provided.

Make sure you have set up the Entitlements Service Driver and created the driver configurations that are necessary.
In iManager, click Role-Based Entitlements > Role-Based Entitlements.
Select a driver set.

Entitlement Policies are per driver set.

The list of existing Entitlement Policies opens, like the page in the following figure. If you are using Role-Based Entitlements for the first time, no policies are listed.
Click New.

The Create New Entitlement Policy Wizard opens.
Follow the steps in the wizard to create a new policy.

Refer to the online help for information about each step in the wizard.

Defining Membership for an Entitlement Policy

Like a DirXML driver, each Entitlement Policy can manage only objects that are in a master or read/write replica on the server to which is it assigned. Each Entitlement Policy is associated with a single Driver Set object, which is assigned to a particular server.

Only User objects (and other object types derived from the class of User) can be members of an Entitlement Policy.

An Entitlement Policy is a dynamic group object. You can define membership for an Entitlement Policy by using two methods, dynamic and static. You can use both methods in the same Entitlement Policy.

Dynamic: You can define criteria for membership based on values of attributes of the object, such as whether the job title includes the word "Manager." The criteria you specify are converted into an LDAP filter.

Users who meet the criteria are automatically part of the Entitlement Policy, without requiring you to specifically add each user to the policy. The dynamic membership is the same as a Dynamic Group object.

If an object changes so that it no longer meets the criteria for dynamic membership, the entitlements are automatically revoked.
Static: In addition to creating criteria for dynamic membership (an LDAP filter), you can include or exclude specific users.

You can add statically members who don't meet the criteria of the filter. You can exclude members who meet the filter's criteria but should not be included in the Entitlement Policy.

Choosing Entitlements for an Entitlement Policy

Role-Based Entitlements enables you to grant entitlements on connected systems and rights in eDirectory.

Drivers that support Role-Based Entitlements offer a list of entitlements that can be assigned using an Entitlement Policy. The entitlements that the driver can provide are listed in the driver manifest, which is created by the driver developer to represent the capability of the driver and connected system. (The driver manifest should not be edited by an Identity Manager administrator.)

Trustee rights to objects in eDirectory are immediately granted to members of the Entitlement Policy. By default, entitlements in connected systems are granted to each member of the Entitlement Policy the next time an attribute used for Entitlement Policy membership is modified for that user, or when a user is moved to a different container or renamed.

Entitlements on connected systems can be any of the following:

Accounts
Membership in e-mail distribution lists
Group membership in NOS lists
Attributes for the corresponding objects in connected systems, populated with values you specify
Other entitlements that you customize

In this section:

Accounts on Connected Systems

To add entitlements to an Entitlement Policy, go to the Entitlements page and select a driver. A pop-up window displays what entitlements that driver offers.

For example, in the following figure, you can see two kinds of entitlements being offered by a GroupWise driver, and the first one in the list is a GroupWise User Account.

Membership in E-Mail Distribution Lists and NOS Lists

To assign membership in groups on connected systems, you choose the membership entitlement from the list of entitlements offered by a driver.

The following figure shows an example, with GroupWise Distribution Lists shown second in the list.

If you choose GroupWise Distribution Lists in this example, a query pop-up is displayed, like the example in the following figure.

The Entitlement Policy interface lets you query for the list of e-mail distribution lists or NOS lists. After a query has been performed, you can choose to view the cached list.

The drivers are configured to return the complete list, so you can choose from the lists that exist on the connected system.

NOTE: A driver could be customized to limit the list to group names you type in, rather than a query that returns the complete list.

Attribute Values on Connected Systems

You can assign attribute values for user accounts on connected systems. The interface provided lets you type in the value you want the user accounts to have.

The following figure shows an example of adding an attribute value for a Notes attribute, Department.

Interface for attribute value entitlements