10.0 EntitlementConfiguration DTD

Entitlements are a way for you to provide users with access to resources in the connected systems. Entitlements allow you to store parametrized flags on objects in the Identity Vault. The Identity Manager drivers implement entitlements and based on the entitlement flags, add or remove users from a role or a group.

An EntitlementConfiguration object contains meta-data about the entitlements defined for any Identity Manager driver. The entitlementconfiguration object has been standardized/extended in Identity Manager 4.0. It introduces a common format and provides additional extensions that can be used by the Identity Reporting module for the data collection service.

The <entitlement-configuration> node contains the metadata about the various entitlements for a driver.

<entitlement-configuration modified="20121004122936">
<entitlements>
    <entitlement resource-mapping-state="add" parameter-format="legacy"  dn="CN=ExchangeMailbox,CN=Active Directory,CN=driverset1,dc=idm,dc=services,dc=system" resource-mapping="true" role-mapping="true">
        <type id="mailbox" name="mailbox" category="other account">
            <display-name>
                <value langCode="EN">Mailbox</value>
            </display-name>
        </type>
    </entitlement>
    <entitlement resource-mapping-state="pending" parameter-format="idm4" dn="CN=Group,CN=Active Directory,CN=driverset1,dc=idm,dc=services,dc=system" resource-mapping="true" role-mapping="true">
        <type id="group" name="group" category="security grouping">
            <display-name>
                <value langCode="EN">Group</value>
            </display-name>
        </type>
        <parameters> 
            <parameter mandatory="true" name="ID" source="read-attr" source-name="ID"/> 
            <parameter mandatory="true" name="ID2" source="src-dn"/> 
        </parameters>
        <member-assignment-extensions>
            <query-attr name="query-type">entitlement-assignment</query-attr>
            <query-xml>
                <read-attr attr-name="member"/>
            </query-xml> 
        </member-assignment-extensions>
        <query-extensions>
            <query-attr name="extension-type">data</query-attr>
            <query-xml>
                <read-attr attr-name="owner"/>       
                <read-attr attr-name="sAMAccountName"/>
            </query-xml> 
        </query-extensions>
    </entitlement>
    <entitlement dn="CN=UserAccount,CN=Active Directory,CN=driverset1,dc=idm,dc=services,dc=system" resource-mapping="true" role-mapping="true">
        <type id="user" name="account" category="security account">
            <display-name>
                <value langCode="EN">User</value>
            </display-name>
        </type>
        <member-assignment-query>
            <query-attr name="query-type">entitlement-assignment</query-attr>
            <query-xml>
                <nds dtdversion="2.0">
                    <input>
                        <query class-name="User" scope="subtree">
                            <search-class class-name="User"/>
                            <read-attr/>
                        </query>
                    </input>
                </nds>
            </query-xml>
        </member-assignment-query>
        <query-extensions>
            <query-attr name="extension-type">accounts</query-attr>
            <query-xml> 
                <read-attr attr-name="dirxml-uACAccountDisable"/>
                <read-attr attr-name="userPrincipalName"/>
                <read-attr attr-name="sAMAccountName"/>
            </query-xml>
        </query-extensions>
        <account>
            <account-id source="read-attr" source-name="sAMAccountName"/>
            <account-id source="read-attr" source-name="userPrincipalName"/>
            <account-id source="src-dn"/>
            <account-id source="association"/>
            <account-status source="read-attr" source-name="userAccountControl" active="false" inactive="true"/>
        </account>
    </entitlement>
</entitlements>
</entitlement-configuration>