6.2 Creating Entitlements: Overview

You must know beforehand what you want to accomplish with entitlements. Entitlements work from the functionality you build into Identity Manager drivers through policies. These driver policies implement rules and process the events between the Identity Vault and the connected system. If the policies in the Identity Manager driver do not specify what you want to do, entitlements cannot work. For example, if you don’t specify the action section of the Check User Modify for Group Membership rule in the Command policy, attempts to grant or revoke a group membership entitlement are ignored.

You need to know precisely what you want to accomplish with Identity Manager, then you can correctly design granting and revoking capabilities for any connected system resources. The following four-step procedure can help you plan to create and use entitlements:

  1. Know what you want to accomplish in your business situation. You can design and implement almost anything through Identity Manager, but you need to know what you want to do before implementing something that isn’t defined. Make a numbered list of what you want to do.

  2. Define an entitlement that represents one point from your numbered list. You can create valueless and valued entitlements. Valued entitlements can get their values from an external query, they can be administrator defined, or they can be free form. There are examples in Section 6.4.6, Example Entitlements To Help You Create Your Own Entitlements.

  3. Add policies to the Identity Manager Driver to implement the designed entitlement. To create a policy for an Identity Manager driver, you need to be conversant in XSLT or DirXML script, in the way the connected system handles and receives information, and with the way Novell® eDirectory™ stores information. Unless you are a good DirXML* programmer, this is a job for consultants.

  4. Set up a managing agent to grant or revoke the entitlement. If you want an automated process, use Role-Based Entitlements; if you want a manual process, use workflow-based provisioning.

6.2.1 Identity Manager Drivers with Configurations that Support Entitlements

Identity Manager includes a number of drivers with configuration files that already contain entitlements, policies to implement the entitlements, and the driver enabled to listen for entitlement activities. You must enable entitlements as you initially install the driver in order to make the preconfigured elements part of the driver. The following drivers have configuration files that support entitlements:

  • Active Directory

  • Exchange

  • GroupWise

  • LDAP

  • NIS

  • Lotus Notes

  • NT Domain

  • RACF

These preconfigured drivers fulfill the first three of the four steps outlined above. The types of example entitlements the drivers contain can be used for the most common scenarios: granting and revoking user accounts, groups, and email distribution lists. These include:

  • Active Directory: Grant and revoke accounts, group membership, Exchange Mailbox

  • Exchange 5.5: Grant and revoke mailbox and group membership

  • GroupWise: Grant and revoke accounts, grant and revoke members of distribution lists

  • LDAP: Grant and revoke user accounts

  • Linux and UNIX: Grant and revoke accounts

  • Lotus Notes: Grant and revoke user accounts and group memberships

  • NT Domain: Grant and revoke user accounts and group membership

  • RACF: Grant and revoke group accounts and group memberships

These are example entitlements and policies that you can use as is (if they meet your needs); you can also tweak them to meet your needs, or you can use them as examples and make your own through iManager or Designer. Again, if you want to use the preconfigured driver’s entitlements, you must enable entitlements when you initially create the preconfigured driver in Designer or iManager; preconfigured entitlements cannot be added later without re-creating the driver.

If you have been using entitlements with Identity Manager 2.x and you want to use those entitlements with Identity Manager 3.5.1, run the Upgrade Entitlements option under Identity Manager Utilities.

6.2.2 Enabling Entitlements on Other Identity Manager Drivers

You can still use entitlements on Identity Manager drivers that do not contain entitlement preconfigurations. To enable your driver to support entitlements, add the DirXML-EntitlementRef attribute to your driver filter. To do this:

  1. Select Identity Manager > Identity Manager Overview.

  2. Browse to the driver set where the driver resides, then click Search.

  3. From the Identity Manager Overview page, click the Driver object.

    Selecting a driver from the driver set

  4. On the Driver Overview page click the Driver Filter icon right of the Identity Vault (circled in red).

    Select the Subscriber channel driver filter

  5. Select Add Attribute, then scroll to the bottom and select Show all attributes.

  6. Select the DirXML-EntitlementRef attribute, then click OK.

    Select DirXML-EntitlementRef attribute

  7. Select DirXML-EntitlementRef in the Filter page, then under the Subscribe heading select Notify.

    Select Notify under the Subscribe heading

  8. Click OK to save the changes.

    This process is performed automatically when you create entitlements through Designer on a driver.