6.2 Creating Entitlements: Overview

You must know beforehand what you want to accomplish with entitlements. Entitlements work from the functionality you build into Identity Manager drivers through policies. These driver policies implement rules and process the events between the Identity Vault and the connected system. If the policies in the Identity Manager driver do not specify what you want to do, entitlements cannot work. For example, if you don’t specify the action section of the Check User Modify for Group Membership rule in the Command policy, attempts to grant or revoke a group membership entitlement are ignored.

You need to know precisely what you want to accomplish with Identity Manager, then you can correctly design granting and revoking capabilities for any connected system resources. The following four-step procedure can help you plan to create and use entitlements:

  1. Know what you want to accomplish in your business situation. You can design and implement almost anything through Identity Manager, but you need to know what you want to do before implementing something that isn’t defined. Make a numbered list of what you want to do.

  2. Define an entitlement that represents one point from your numbered list. You can create valueless and valued entitlements. Valued entitlements can get their values from an external query, they can be administrator defined, or they can be free form. There are examples in Section 6.4.6, Example Entitlements To Help You Create Your Own Entitlements.

  3. Add policies to the Identity Manager Driver to implement the designed entitlement. To create a policy for an Identity Manager driver, you need to be conversant in XSLT or DirXML script, in the way the connected system handles and receives information, and with the way Novell® eDirectory™ stores information. Unless you are a good DirXML* programmer, this is a job for consultants.

  4. Set up a managing agent to grant or revoke the entitlement. If you want an automated process, use Role-Based Entitlements; if you want a manual process, use workflow-based provisioning.

6.2.1 Identity Manager Drivers with Preconfigurations that Support Entitlements

Identity Manager comes with a number of drivers with preconfigurations that already contain entitlements, policies to implement the entitlements, and the driver enabled to listen for entitlement activities. You must enable entitlements as you initially install the driver in order to make the preconfiguration elements part of the driver. The following drivers have preconfigurations that support entitlements:

  • Active Directory*

  • Exchange

  • GroupWise®

  • LDAP

  • NIS

  • Lotus* Notes*

  • NT Domain

  • RACF

These preconfigured drivers fulfill the first three of the four steps outlined above. The types of example entitlements the drivers contain can be used for the most common scenarios: granting and revoking user accounts, groups, and email distribution lists. These include:

  • Active Directory: Grant and revoke accounts, group membership, Exchange Mailbox

  • Exchange 5.5: Grant and revoke mailbox and group membership

  • GroupWise: Grant and revoke accounts, grant and revoke members of distribution lists

  • LDAP: Grant and revoke user accounts

  • Linux* and UNIX*: Grant and revoke accounts

  • Lotus Notes: Grant and revoke user accounts and group memberships

  • NT Domain: Grant and revoke user accounts and group membership

  • RACF: Grant and revoke group accounts and group memberships

These are example entitlements and policies that you can use as is (if they meet your needs); you can also tweak them to meet your needs, or you can use them as examples and make your own through iManager or Designer. Again, if you want to use the preconfigured driver’s entitlements, you must enable entitlements when you initially create the preconfigured driver in Designer or iManager; preconfigured entitlements cannot be added later without re-creating the driver.

If you have been using entitlements with Identity Manager 2.x and you want to use those entitlements with Identity Manager 3.0.1, run the Upgrade Entitlements option under Identity Manager Utilities.

6.2.2 Enabling Entitlements on Other Identity Manager Drivers

You can still use entitlements on Identity Manager drivers that do not contain entitlement preconfigurations. To enable your driver to support entitlements, add the DirXML-EntitlementRef attribute to your driver filter. To do this:

  1. Select Identity Manager > Identity Manager Overview.

  2. Browse to the driver set where the driver resides and click Search.

  3. From the Identity Manager Overview screen, select the Driver object from the presented Driver Set.

    Selecting a driver from the driver set
  4. Double-click the driver from the Driver Set to bring up the driver screen. Click the Driver Filter icon right of the Identity Vault (circled in red).

    Select the Subscriber channel driver filter
  5. On the Filter page, select Add Attribute, then scroll to the bottom and select Show all attributes. Select the DirXML-EntitlementRef attribute, and click OK.

    Select DirXML-EntitlementRef attribute
  6. Select DirXML-EntitlementRef in the Filter page. Under the Subscribe heading, select Notify. Click OK.

    Select Notify under the Subscribe heading
  7. This process is performed automatically when you create entitlements through Designer on a driver.