You must know beforehand what you want to accomplish with entitlements. Entitlements work from the functionality you build into Identity Manager drivers through policies. These driver policies implement rules and process the events between the Identity Vault and the connected system. If the policies in the Identity Manager driver do not specify what you want to do, entitlements cannot work. For example, if you don’t specify the action section of the Check User Modify for Group Membership rule in the Command policy, attempts to grant or revoke a group membership entitlement are ignored.
You need to know precisely what you want to accomplish with Identity Manager, then you can correctly design granting and revoking capabilities for any connected system resources. The following four-step procedure can help you plan to create and use entitlements:
Know what you want to accomplish in your business situation. You can design and implement almost anything through Identity Manager, but you need to know what you want to do before implementing something that isn’t defined. Make a numbered list of what you want to do.
Define an entitlement that represents one point from your numbered list. You can create valueless and valued entitlements. Valued entitlements can get their values from an external query, they can be administrator defined, or they can be free form. There are examples in Section 6.4.6, Example Entitlements To Help You Create Your Own Entitlements.
Add policies to the Identity Manager Driver to implement the designed entitlement. To create a policy for an Identity Manager driver, you need to be conversant in XSLT or DirXML script, in the way the connected system handles and receives information, and with the way Novell® eDirectory™ stores information. Unless you are a good DirXML* programmer, this is a job for consultants.
Set up a managing agent to grant or revoke the entitlement. If you want an automated process, use Role-Based Entitlements; if you want a manual process, use workflow-based provisioning.
Identity Manager comes with a number of drivers with preconfigurations that already contain entitlements, policies to implement the entitlements, and the driver enabled to listen for entitlement activities. You must enable entitlements as you initially install the driver in order to make the preconfiguration elements part of the driver. The following drivers have preconfigurations that support entitlements:
These preconfigured drivers fulfill the first three of the four steps outlined above. The types of example entitlements the drivers contain can be used for the most common scenarios: granting and revoking user accounts, groups, and email distribution lists. These include:
Active Directory: Grant and revoke accounts, group membership, Exchange Mailbox
Exchange 5.5: Grant and revoke mailbox and group membership
GroupWise: Grant and revoke accounts, grant and revoke members of distribution lists
LDAP: Grant and revoke user accounts
Linux* and UNIX*: Grant and revoke accounts
Lotus Notes: Grant and revoke user accounts and group memberships
NT Domain: Grant and revoke user accounts and group membership
RACF: Grant and revoke group accounts and group memberships
These are example entitlements and policies that you can use as is (if they meet your needs); you can also tweak them to meet your needs, or you can use them as examples and make your own through iManager or Designer. Again, if you want to use the preconfigured driver’s entitlements, you must enable entitlements when you initially create the preconfigured driver in Designer or iManager; preconfigured entitlements cannot be added later without re-creating the driver.
If you have been using entitlements with Identity Manager 2.x and you want to use those entitlements with Identity Manager 3.0.1, run theoption under .
You can still use entitlements on Identity Manager drivers that do not contain entitlement preconfigurations. To enable your driver to support entitlements, add the DirXML-EntitlementRef attribute to your driver filter. To do this:
Browse to the driver set where the driver resides and click.
From the Identity Manager Overview screen, select the Driver object from the presented Driver Set.
Double-click the driver from the Driver Set to bring up the driver screen. Click theicon right of the Identity Vault (circled in red).
On the Filter page, select, then scroll to the bottom and select . Select the attribute, and click .
Selectin the Filter page. Under the Subscribe heading, select . Click .
This process is performed automatically when you create entitlements through Designer on a driver.