Role-Based Entitlements relies on the Entitlements Service driver. This driver is an engine service that monitors whether users have membership in an Entitlement Policy. If a user meets the dynamic membership criteria of an Entitlement Policy dynamic group, or is statically included, the Entitlements Service driver adds information to the DirXML-SPEntitlements attribute on the User object. The entitlement that a user should receive is written to the attribute.
For the systems listed in Configuring Drivers to Use Entitlement Policies, you can choose the Role-Based Entitlements option when importing the Identity Manager sample driver configuration. You can then review the policies provided. These policies support Role-Based Entitlements by monitoring the DirXML-SPEntitlements attribute and granting or revoking entitlements.
The Entitlements Service driver updates the DirXML-SPEntitlements attribute only when one of the following happens:
You can specify in which part of the tree users should be reevaluated.
Entitlement Policies enable you to grant entitlements on connected systems and rights in eDirectory. Entitlements on connected systems can be any of the following:
Some of the options are demonstrated in the sample driver configurations.
Because one Entitlements Service driver is used per driver set, an Entitlement Policy can manage only users that are in a read/write or master replica on the server that is associated with that driver set.
Role-Based Entitlements functionality is based on Identity Manager. Therefore, to administer connected systems, you must have DirXML drivers installed and configured properly.
In addition, to avoid possible conflicts between Entitlement Policy assignments and DirXML driver configurations, you should be aware of your business policies and how they are administered through Identity Manager. DirXML Entitlement Policies and policies in a driver configuration should not overlap or conflict while they manage an attribute.