The SAP User Management Fan-Out packages contain entitlement policies and a set of preconfigured entitlements. The User Account entitlement is used with the fan-out configuration.
Most Identity Manger drivers support the User Account entitlement as an entitlement that can only be granted once and does not take any parameters. It is like an on/off switch for the account in the application. There is a one-to-one relationship between the User Account entitlement and one account in the application. The fan-out configuration requires that a single User object in the Identity Vault be granted multiple User Account entitlements for accounts in different systems. A parameter is added to the User Account entitlement, so each time the entitlement is granted it is a unique event. The parameter indicates the system where the account is granted.
The SAP User Management Fan-Out packages contain a new version of the User Account entitlement and the policies that implement the entitlement. The entitlement can be granted multiple times and uses the parameter that tells the policies where to send the events.
The format of the parameter is:
LSNAME=<LSNAME>
The LSNAME is the same system identifier (SAP logical system name) that is found in the association and in the destination DN.
The following is an example of the User Account entitlement in a trace:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.0.4294">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<add class-name="User" event-id="metaserver1#20090513130202#1#2#0" src-dn="\META\data\company\users\aberg">
...
<add-attr attr-name="DirXML-EntitlementRef">
<value timestamp="1242219722#1" type="structured">
<component name="nameSpace">1</component>
<component name="volume">\META\system\services\idm\driverset1\SAP-USER\UserAccount</component>
<component name="path.xml">
<ref>
<src>NRF</src>
<id>1242219722981</id>
<param>LSNAME=S7ICLNT800</param>
</ref>
</component>
</value>
</add-attr>
...
</add>
</input>
</nds>