6.5 Managing Role-Based Entitlements Overview

Traditionally, entitlements on connected systems are administered on a per-driver basis, solely by creating and editing driver configuration policies such as the ones you create with Policy Builder. In this traditional distributed model, a different administrator often controls each Identity Manager driver and connected system, and the business policies that determine whether a user gets resources on that system are “hard-coded” separately in the driver configuration policies for each connected system driver.

The Role-Based Entitlement model fits an environment where one or a few administrators have authority to control the entitlement policies. This kind of administrator needs to understand Identity Manager in general but does not necessarily need much Identity Manager or XSLT or DirXML script expertise to use the Role-Based Entitlements interface.

Role-Based Entitlement policies allow you to automatically grant or revoke business resources if the criteria are met. Entitlements are like a permission slip to access a resource. With the permission slip, you have access to the designated resource and without such a permission slip, you have no access. As a working example, you can specify that if user meets criteria 1, 2, and 3, then through a Role-Based Entitlement policy, the user becomes a member of Group H; but if the user meets criteria 4 and 5, he or she becomes a member of Group I.

Setting up to manage Role-Based Entitlements is a three step process:

  1. If you haven’t already done so, enable the DirXML-EntitlementRef attribute on the Identity Manager driver object as described in Section 6.2.2, Enabling Entitlements on Other Identity Manager Drivers.

  2. Install the Entitlements Service driver ( Entitlement.xml) as described in Section 6.6, Creating an Entitlements Service Driver Object.

  3. Create Role-Based Entitlement Policies in iManager, as described in Section 6.7, Creating Entitlement Policies.

6.5.1 How the Entitlement Service Driver Works

Role-Based Entitlements relies on the Entitlements Service driver ( Entitlement.xml). This driver is an engine service that monitors whether users have membership in an Entitlement Policy. If a user meets the dynamic membership criteria of an Entitlement Policy dynamic group, or is statically included, the Entitlements Service driver updates information in the DirXML-EntitlementRef attribute on the User object.

For the systems listed in Section 6.2.1, Identity Manager Drivers with Preconfigurations that Support Entitlements, you can enable entitlements when importing the Identity Manager driver configuration. Identity Manager comes with a number of drivers with configurations that already contain entitlements, policies to implement the entitlements, and the driver enabled to listen for entitlement activities. You can then review the policies provided. These policies support entitlements by monitoring the DirXML-EntitlementRef attribute and granting or revoking entitlements.

The Entitlements Service driver updates the DirXML-EntitlementRef attribute only when one of the following happens:

  • You use the Reevaluate Membership task

  • You specify in which part of the tree users should be reevaluated

  • A user is moved

  • A user is renamed

  • Any attribute used for membership in an Entitlement Policy is modified

Entitlement policies enable you to grant entitlements on connected systems and rights in Identity Vault. Entitlements on connected systems can be any of the following:

  • Accounts

  • Membership in e-mail distribution lists

  • Group membership

  • Attributes for the corresponding objects in connected systems, populated with values you specify

  • Placement

  • Other entitlements that you customize

Some of the options that you can create with entitlements are demonstrated in the driver configurations that have entitlements enabled.

Because one Entitlements Service driver is used per driver set, an Entitlement policy can manage only users that are in a read/write or master replica on the server that is associated with that driver set.

Role-Based Entitlement policies functionality is based on Identity Manager. Therefore, to administer connected systems, you must have Identity Manager drivers installed and configured properly and Identity Manager plug-ins installed.

In addition, to avoid possible conflicts between Entitlement Policy assignments and Identity Manager driver configurations, you should be aware of your business policies and how they are administered through Identity Manager. Identity Manager Entitlement policies and policies in a driver configuration should not overlap or conflict while they manage an attribute.