For Identity Manager 4.0 and later, the entitlement value is multivalued. The format of storing the entitlement parameter has changed. The new entitlement parameters are formatted as a JSON string as follows:
{"ID":"aspencer-cell"}
Using JSON string allows the use of name=value pairs and to introduce the concept of well-known fields where the same type of information can be stored using the same identifier and can be retrieved easily by consuming application (for example, Role-Based Provisioning Module, Role Mapping Administrator, Identity Reporting Module). JSON also addresses the issue of escaping special characters in values. JSON is a well-known format and there are many JSON parsers and generators available for use. Table 1-1 lists mandatory fields for JSON.
Table 1-1 Mandatory Fields for JSON
|
ID |
Display Name |
Sample Value |
Mandatory |
Description |
|---|---|---|---|---|
|
ID |
Primary ID |
f1e84f2a7964614eaa45407c724e3a98 |
Yes |
The Identity Manager drivers use the primary ID to identify the corresponding entity in the connected system. For example, the Active Directory driver uses the objectGUID in Active Directory as the identifier. However, the GUID is not of any value to other applications. |
|
ID2 |
Secondary ID |
CN=Domain Users,CN=Users,DC=yourcompany,DC=msft |
No |
The Identity Manager drivers can use the secondary ID to identify the corresponding entity in the connected system. This ID is not used by Identity Manager but might provide value to other consuming applications of the entitlement. Active Directory can identify an object by its objectGUID but also by its DN. DN is a valuable secondary ID for Active Directory entitlements. |
|
LIID |
Logical Instance ID |
S7ICLNT800 |
No |
The fan-out drivers can use the Logical Instance ID to know if the entitlement is granted to the logical instance of the application they connect to. |
You can add more fields if entitlements require additional fields. For example, adding validity dates (valid from and valid to) or other. The names of the new fields must start with an underscore “_” as shown in Table 1-2.
Table 1-2 Optional Fields for JSON
|
ID |
Display Name |
Sample Value |
Mandatory |
Description |
|---|---|---|---|---|
|
_FROM |
Valid From |
20100318 |
No |
A sample custom field the SAP User Management driver uses for role entitlements. |
|
_TO |
Valid To |
20100319 |
No |
A sample custom field the SAP User Management driver uses for role entitlements. |
The following are examples of entitlement parameters for Identity Manager drivers:
Active Directory driver:
{
"ID": "f1e84f2a7964614eaa45407c724e3a98",
"ID2": "CN=Domain Users,CN=Users,DC=yourcompany,DC=msft"
}
SAP User driver:
{
"ID": "A_BEW_ALL",
"LIID": "S7ICLNT800",
"_FROM": "20100318",
"_TO": "20100319"
}