6.0 Creating and Using Entitlements

Identity Manager allows you to synchronize data between connected systems. Entitlements allow you to set up criteria for a person or group that, once met, initiate an event to grant or revoke access to business resources within the connected system. This gives you one more level of control and automation for granting and revoking resources.

There are two aspects to making entitlements work: creating the entitlement and managing the entitlement. You create entitlements through iManager or through Designer. To create an entitlement through iManager, select the Create Entitlement Option under the Identity Manager Utilities heading in iManager. For more information, see Section 6.4, Writing Entitlements in XML through iManager.

You can also use Designer to create entitlements and deploy them into existing Identity Manager drivers. Designer allows you to create entitlements through the Entitlement Wizard, which gives you a graphical interface through which to create the entitlement, and steps you through the process. In iManager, you create entitlements through a simple interface, but you add additional properties through an XML editor. Because it has a graphical interface, we recommend using Designer for creating and editing entitlements.

After you create entitlements (or use entitlements that come already configured with certain Identity Manager drivers), you need to manage them. Entitlements are managed by two packages or agents: through iManager as Role-Based Entitlement Policies or through the User Application in workflow-based provisioning. For entitlements used in workflow-based provisioning, see Introduction to Workflow-Based Provisioning. For information on Role-Based Entitlements, seeSection 6.5, Managing Role-Based Entitlements Overview.

Role-Based Entitlement policies allow you to grant business resources if the criteria are met. For example, if a user meets criteria 1, 2, and 3, then through a Role-Based Entitlement policy, the user becomes a member of Group H; but if the user meets 4 and 5, he or she becomes a member of Group I. In order for this entitlement to work through workflow-based provisioning, approval is first required.