An entitlement gives a user permission to access the resource represented by the entitlement. However, for the entitlement to actually be granted or revoked, you need to create the appropriate policies.
Information about how to create policies is provided in the NetIQ Identity Manager Policies in Designer and NetIQ Identity Manager Policies in iManager Guide guides.
By default, the Active Directory driver includes several entitlements and the policies required to support the entitlements. These policies are listed below. You can use these policies as examples of the types of policies you might need to create to support entitlements on other drivers.
Input Transform (driver level): The Check Target Of Add Association For Group Membership Entitlements rule in this policy checks the target of “add-association” for group membership entitlements. Group membership entitlements assigned to users being created in Active Directory cannot be processed until the user is successfully created. Add-association signals that an object has been created by the driver in Active Directory. If the object is also tagged for group entitlement processing, it performs the work now.
Event Transform (Publisher channel): The Disallow User Account Delete rule in this policy disallows a user account delete in the Identity Vault. When you use the User Account Entitlement, managed user accounts are controlled by the entitlement in the Identity Vault. A delete in Active Directory does not delete the controlling object in the Identity Vault. A future change to the object in the Identity Vault or a merge operation might re-create the account in Active Directory.
Command (Subscriber channel): The Command policy contains the following rules pertaining to entitlements:
The User Account Entitlement Change (Delete Option) rule. The User Account Entitlement grants the user an enabled account in Active Directory. Revoking the entitlement disables or deletes the Active Directory account, depending on the value you select for the When account entitlement revoked global variable. This rule executes when the entitlement is changing and you have selected the Delete option.
The User Account Entitlement Change (Disable Option) rule. The User Account Entitlement grants the user an enabled account in Active Directory. Revoking the entitlement disables or deletes the Active Directory account, depending on the value you select for the When account entitlement revoked global variable. This rule executes when the entitlement is changing and you have selected the Disable option.
The Check User Modify for Group Membership Being Granted or Revoked rule.
The Check User Modify for Exchange Mailbox Being Granted or Revoked rule.
Matching (Subscriber channel): This is the Account Entitlement: Do Not Match Existing Accounts rule for this policy. When you use the User Account entitlement with the Identity Manager user application or Role-Based Entitlements, accounts are created and deleted (or disabled) by granting or revoking the entitlement. The default policy does not match an existing account in Active Directory if the user is not entitled to an account in Active Directory. Modify or remove this rule if you want the entitlement policy to apply to matching accounts in Active Directory. This might result in the Active Directory account being deleted or disabled.
Creation (Subscriber channel): The Creation policy contains the following rules pertaining to entitlements:
Account Entitlement: Block Account Creation When Entitlement Not Granted. When you use the User Account entitlement with the Identity Manager User Application or Role Based Entitlements, accounts are created only for users that are specifically granted the account entitlement. This rule vetoes user account creation when the entitlement is not granted.
Identity Vault Accounts Are Enabled if Login Disabled Does Not Exist.
Prepare To Check Group Entitlements After Add. Group entitlements are processed after the add completes, because the added object needs to exist in order to be added to a group. The add is flagged with an operational property that is checked in the input transform when the add processing completes.
Signal the Need To Check Exchange Entitlements After the Add.
Map User Name to Windows Logon Name. When userPrincipalName is configured to follow the eDirectory user name, set userPrincipalName to the eDirectory object name plus the name of the Active Directory domain.