6.10 Entitlement Elements that Apply To Role-Based Entitlements and Workflow-Based Provisioning Entitlements

The information below applies to all entitlements rather than to a specific implementation.

6.10.1 Controlling the Meaning of Granting or Revoking Entitlements

You can control the consequences of granting or revoking an entitlement. Each driver provides a list of supported choices that control the meaning of “grant” or “revoke.”

For example, when adding a GroupWise account, you could specify that grant actually means to grant the user an account in a disabled state, so that the administrator must intervene before the user can access the account. Or, you could choose to enable the account, which is the default.

By default, the driver configurations use the option that is most likely to preserve data. For example, the default meaning of remove for a GroupWise account is set to “disable,” to avoid unintentionally losing accounts if a mistake is made when the administrator is making changes to policies. As another example, the Identity Manager driver configurations don’t revoke entitlements that have values from a user account in another system. If a user is granted membership in an e-mail distribution list, and if later the user no longer meets the criteria for the Entitlement policy, he or she is simply dropped from the policy membership. Accounts are disabled, but group membership and attribute values are not removed. An Identity Manager expert can customize the driver configurations if you want a different result.

The interpretation of revoking an entitlement is especially important because Role-Based Entitlements functionality gives you the ability to make sweeping changes in an organization’s entitlements in a production environment, without testing the results in a lab.

You can change the settings for interpreting grant or revoke by editing the Global Configuration Variables on a preconfigured driver. If you are creating your own custom configuration, you could add GCVs to interpret granting and revoking entitlements.

6.10.2 Preventing Data Loss

Role-Based Entitlements are designed to allow you to make sweeping changes to entitlements, such as accounts, based on membership in the policy. This means, however, that mistakes made in changing policies are a concern. The driver configurations that ship with Identity Manager use the most benign settings. You should understand how to use GCVs to avoid unintentional data loss.

For example, we recommend that you never use delete as the value for the GCV that interprets revoking an account entitlement.

As another measure to protect your data when you edit or create a new entitlement policy, the driver is turned off so that changes are not made while your editing of policies is incomplete. You can then manually restart the driver when you are finished, using the Restart button in the Entitlement Policies interface. Similarly, if another user appears to be editing Entitlement policies, and you try to restart the Entitlements Service driver using the Restart button, you are prompted not to restart the driver until the other user is finished making changes.

6.10.3 Password Synchronization and Entitlements

Password Synchronization is managed the same way for drivers that are using Role-Based Entitlements as it is for other drivers, as described in Password Synchronization across Connected Systems.