Role-Based Entitlements is designed to allow you to make sweeping changes to entitlements such as accounts, based on membership in the policy. This means, however, that mistakes made in changing policies could be a concern. The driver configurations that ship with Identity Manager use the most benign settings. You should understand which settings help to avoid loss of data.
The two kinds of settings that make the most difference are interpretive variables and conflict resolution. See Controlling the Meaning of Adding or Removing Entitlements and Conflict Resolution between Entitlement Policies.
For example, we recommend that you never use delete as the value for the interpretive variable for removing an account. Role-Based Entitlements allows you to make major changes in your production environment without going through a test cycle, and it's possible you could make a mistake that would remove an account entitlement from someone without meaning to.
An administrator could safeguard data by making sure the interpretive variable for revoking accounts is set to disable instead of delete.
As another measure to protect your data when you edit or create a new entitlement policy, the driver is turned off so that changes are not made while your editing of policies is incomplete. You can then manually restart the driver when you are finished, using the Restart button in the Entitlement Policies interface. Similarly, if another user appears to be editing Entitlement Policies, and you try to restart the driver using the Restart button, you are prompted not to restart the driver until the other user is finished making changes.