1.1 How the Entitlements Service Driver Works

The Entitlements Service driver grants entitlements to and revokes entitlements from users, as shown in the following diagram.

Figure 1-1 Entitlements Service Driver Process

The driver implements entitlements through the use of entitlement policies. An entitlement policy contains the following:

The Entitlements Service driver uses the following basic process to grant entitlements to and revoke entitlements from users:

  1. The driver evaluates the users within its defined scope to see if they meet the criteria established for membership in a policy. This occurs whenever:

    • Any criteria attribute used for determining membership in an entitlement policy is modified.

    • A user is moved.

    • A user is renamed.

    • You manually initiate a reevaluation of a policy’s membership.

  2. The driver updates the DirXML-EntitlementRef attribute of any user whose entitlements have changed. This includes granting entitlements if the user was added to an entitlement policy or revoking entitlements if the user was removed from a policy.

  3. After the DirXML-EntitlementRef attribute for a user is updated, the Entitlements Service driver’s job is finished. For the entitlement to be implemented, the entitlement must be defined on the appropriate driver and the driver’s policies must include the actions required to enforce the entitlement. For information about creating entitlements and the policies to support them, see the Identity Manager 3.6.1 Entitlements Guide.