You use Designer to configure custom entitlements on a driver. The entitlements packages contain the content necessary for collecting and reconciling permissions. If you want a driver to support permission collection and reconciliation, ensure that these packages are installed on the driver. You can turn this functionality on or off using the new set of GCVs included with the driver.
You can either create a new driver with the latest packages or upgrade the packages for an existing driver. In both cases, you install the driver packages and then modify the driver configuration to suit your environment. For creating new drivers, NetIQ recommends that you refer to the individual driver documentation guides.
Perform the following tasks to make custom entitlement available for Identity Applications using Designer:
Install custom entitlement package. This package automatically installs the CPRS common package.
Create an entitlement (DirXML-Entitlement) object for the driver. For example: Cubicle
For more information, see Creating Entitlements through the Entitlement Wizard in theNetIQ Designer for Identity Manager Administration Guide.
To make the new entitlement available for Identity Applications Resources perform the following tasks:
NOTE:To access Identity Applications Resource Catalog, navigate to Administration > Resources in Identity Manager Dashboard. For more information, see Listing Resources in NetIQ Identity Manager - Administrator’s Guide to the Identity Applications.
Right-click the driver and click Properties.
Navigate to GCVs > Custom Entitlements tab.
In List of Custom Entitlements, add the entitlement object names that needs to be listed in the Identity Applications user interface.
NOTE:
Entitlement names are case sensitive.
CPRS supports only the Identity Manager 4.0 and later entitlement formats.For more information, see Entitlements Formats in the NetIQ Identity Manager Entitlements Guide.
By default, cprs-supported, role-mapping, and resource-mapping flags are set to True and the data-collection flag is set to False.
(Conditional) To configure flags, create a GCV of boolean type in the following format:
drv.cprssupported.<entitlement-name>, drv.datacollection.<entitlement-name>, drv.rolemapping.<entitlement-name>, drv.resourcemapping.<entitlement-name> respectively.
To include an additional XML to an entitlement:
Specify the Name as drv.entitlement.extensions.<entitlement-name>.
Select the Type as String.
Select the Multi-line option.
You should add the additional entitlement extensions between <entitlement-extensions></entitlement-extensions> XML node. For more information, see Modifying Custom Entitlement Extension.
(Conditional) For localizing the entitlement, add the localization values for the entitlement in the L10N_<locale> mapping table.
Deploy and start the driver for the changes to take effect.
Identity Manager supports the following XML tags for use with the entitlement node in the entitlement object XML. You must include these tags in the entitlement XML.
Parameters: If the entitlement is of type Identity Manager 4.0 or later, then User Application uses information from the parameters node to build the code map refresh values. You must define each key in the code map value in the parameter tag. For more information, see DTD.
account: For an account entitlement, you must define the following items under the <account> node:
<account-id>: Contains details of the account unique ID in the User Application.
<account-status>: Contains information about the attribute that stores the login or logout status of the user.
For more information, see DTD.
member-assignment-query: If the query for obtaining permission assignments is different than the query defined in the DirXML-entitlement object, you must redefine the query under this node. For more information, see DTD.
member-assignment-extensions: In case of multi-valued entitlements, if permission details are obtained from a specific attribute of the connected application, you must provide details of that attribute in this node. For more information, see DTD.
The following is a sample of entitlement extension XML for <parameters> and <member-assignment-extensions> tags:
Example 1:
To manage custom entitlement in the connected application such as Cubicle, where the permission value is stored in the AssignedTo attribute.
<entitlement-extensions>
<parameters>
<parameter mandatory="true" name="ID" source="association" />
<parameter mandatory="true" name="ID2" source="association" />
</parameters>
<native-value source="src-dn" />
<member-assignment-extensions>
<query-xml>
<read-attr attr-name="AssignedTo" />
</query-xml>
</member-assignment-extensions>
</entitlement-extensions>
Example 2:
In this example, <account> and <member-assignment-query> nodes are defined for a multi-valued entitlement.
<entitlement-extensions>
<account>
<account-id source="src-dn" />
<account-status active="FALSE" inactive="TRUE" source="read-attr" source-name="Account_STATUS" />
</account>
<parameters>
<parameter mandatory="true" name="ID" source="read-attr" source-name="RESTACCOUNT" />
</parameters>
<member-assignment-query>
<query-xml>
<nds dtdversion="2.0">
<input>
<query class-name="User" scope="subtree">
<search-class class-name="USer" />
</query>
</input>
</nds>
</query-xml>
</member-assignment-query>
</entitlement-extensions>