Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and
specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time,
without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims
any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.,
reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to
notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the
trade laws of other countries. You agree to comply with all export control regulations and to obtain any required
licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities
on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export
laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses.
See the Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information
on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export
approvals.
Novell, Inc., has intellectual property rights relating to technology embodied in the product that is described in this
document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S.
patents listed on the Novell Legal Patents Web page (http://www.novell.com/company/legal/patents/) and one or
more additional patents or pending patent applications in the U.S. and in other countries.
Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
www.novell.com
Online Documentation: To access the latest online documentation for this and other Novell products, see
the Novell Documentation Web page (http://www.novell.com/documentation).
Novell Trademarks
For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/
trademarks/tmlist.html).
Third-Party Materials
All third-party trademarks are the property of their respective owners.
The guide explains how to create and use entitlements as part of your Identity Manager solution.
Chapter 1, “Entitlements Overview,” on page 9
Chapter 2, “Checklist for Implementing Entitlements,” on page 13
Chapter 3, “Enabling Entitlements on a Driver,” on page 15
Chapter 4, “Creating Entitlements,” on page 17
Chapter 5, “Creating Policies to Support Entitlements,” on page 27
Appendix A, “Writing Entitlements in XML,” on page 35
Audience
This guide is intended for Identity Manager administrators, partners, and consultants.
novdocx (en) 13 May 2009
Feedback
We want to hear your comments and suggestions about this manual and the other documentation
included with this product. Please use the User Comments feature at the bottom of each page of the
online documentation, or go to www.novell.com/documentation/feedback.html and enter your
comments there.
Documentation Updates
For the most recent version of the Entitlements Guide, visit the Identity Manager Documentation
Web site (http://www.novell.com/documentation/idm36/).
Additional Documentation
For additional Identity Manager 3.6 documentation, see the Identity Manager Documentation Web
site (http://www.novell.com/documentation/idm36/).
Documentation Conventions
In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and
items in a cross-reference path.
®
A trademark symbol (
trademark.
, TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party
When a single pathname can be written with a backslash for some platforms or a forward slash for
other platforms, the pathname is presented with a backslash. Users of platforms that require a
forward slash, such as Linux* or UNIX*, should use forward slashes as required by your software.
About This Guide7
novdocx (en) 13 May 2009
8Identity Manager 3.6.1 Entitlements Guide
1
Entitlements Overview
Novell® Identity Manager uses entitlements as a way for you to provide users with access to
resources in connected systems.
You can think of an entitlement as a permission slip. For example, if you want a new employee to be
given an Active Directory* account when he or she is added to your Human Resource system, the
user must have a permission slip, or entitlement, for the Active Directory account. If the user doesn’t
have the permission slip, he or she doesn’t receive the account.
The following sections explain how entitlements work and how they make administration of your
Identity Manager system more efficient.
Section 1.1, “How Entitlements Work,” on page 9
Section 1.2, “Why Use Entitlements?,” on page 10
Section 1.3, “Drivers with Preconfigured Entitlements,” on page 11
novdocx (en) 13 May 2009
1
1.1 How Entitlements Work
The following diagram shows the basic entitlement process.
Figure 1-1 Overview of Entitlements
1. An entitlement agent grants an entitlement to a user. There are three ways that entitlements are
granted to a user:
Role-Based Entitlements: The Entitlements Service driver grants the entitlement based
on criteria that place the user in a particular role (or group). The criteria can be based on
any event that occurs in the Identity Vault. For example, adding a new employee in an HR
system causes a User object to be created in the Identity Vault. Creation of the new User
object is the criterion that causes the Entitlements Service driver to grant the Active
Directory User Account entitlement to the user.
User Application Roles Based Provisioning: The user receives a role assignment
through the User Application. The User Application’s Role Service driver grants the user
any entitlements associated with the new role. For example, a user is assigned an
Entitlements Overview
9
Accountant role that requires access to the Accounting group in Active Directory. The
Role Service driver grants the Active Directory Group Membership entitlement to the
user.
User Application Workflow-Based Provisioning: A provisioning workflow grants the
entitlement to the user. For example, a new employee is added to the HR system, which
causes a User object to be created in the Identity Vault. Creation of the new User object
initiates a workflow that grants the Active Directory User Account entitlement to the user.
2. When an entitlement is added to or removed from a user’s DirXML-EntitlementRef attribute,
any entitlement-enabled drivers begin to process the event. Only drivers that have the DirXMLEntitlementRef attribute added to their Subscriber channel filter can monitor users for
entitlement changes.
3. The driver processes the entitlement event against the Subscriber channel policies. If the
entitlement event is for an entitlement that applies to the driver, the policies are processed.
Otherwise, no processing occurs. In the diagram above, the Grant User Account policy is
processed because 1) the Active Directory User Account entitlement was added to the user’s
DirXML-EntitlementRef attribute and 2) the User Account entitlement is defined on the Active
Directory driver. If the Active Directory User Account entitlement is later removed from the
user’s DirXML-EntitlementRef attribute, the Revoke User Account policy is processed.
novdocx (en) 13 May 2009
4. The policies trigger the granting or revoking of access to the entitled resource. In the diagram
above, the Grant User Account policy triggers the creation of a user account in Active
Directory.
1.2 Why Use Entitlements?
Both roles-based provisioning and workflow-based provisioning require the use of entitlements. If
you use either of these User Application provisioning methods, you must use entitlements.
If you are not using the User Application for roles-based or workflow-based provisioning, you might
still want to use Role-Based Entitlements (RBEs) through the Entitlements Service driver. Using
Role-Based Entitlements enables you to remove the business logic, or decision-making, from your
driver policies. In the example used in Section 1.1, “How Entitlements Work,” on page 9, the Active
Directory driver policies include only the information required to grant or revoke an Active
Directory user account. The decision about whether or not a user receives an Active Directory user
account is handled through the entitlement agent, not the driver policies. In this case, the entitlement
agent is the Entitlements Service driver.
Removing the business logic from drivers provides several benefits:
If you have multiple drivers that are the same (for example, multiple Active Directory drivers)
and your business logic changes, you don’t have to change the logic in each driver. The logic
only needs to change in the entitlement agent.
You can use any of the three entitlement agents to grant an entitlement to a user. You can even
use all three entitlement agents together. However, you should have only one entitlement agent
handle an entitlement for a given user. For example, you could have an Active Directory User
Account entitlement granted to a user by the Entitlement driver and a Linux User Account
entitlement granted to the same user through the User Application’s Role Service driver.
However, you should not have the same entitlement (for example, the Active Directory User
Account) managed by both the Entitlement driver and the User Application’s Role Service
driver. Doing so can cause unintended granting and revoking of the entitlement.
10Identity Manager 3.6.1 Entitlements Guide
1.3 Drivers with Preconfigured Entitlements
The following drivers include configuration files that already contain entitlements and the policies
required to implement them. These entitlements support the most common scenarios, including
granting and revoking user accounts, groups, and e-mail distribution lists.
Active Directory: Grant and revoke accounts, group membership, Exchange Mailbox
GroupWise
LDAP: Grant and revoke user accounts and group memberships
Linux and UNIX: Grant and revoke accounts
Lotus* Notes*: Grant and revoke user accounts and group memberships
RACF*: Grant and revoke group accounts and group memberships
These are example entitlements and policies that you can use if they meet your needs. If not, you can
modify them to meet your needs, or you can use them as examples as you implement additional
entitlements.
®
: Grant and revoke accounts, grant and revoke members of distribution lists
novdocx (en) 13 May 2009
Entitlements Overview11
novdocx (en) 13 May 2009
12Identity Manager 3.6.1 Entitlements Guide
2
Checklist for Implementing
novdocx (en) 13 May 2009
Entitlements
Use the following checklist to ensure that you complete all of the tasks required to implement
entitlements for an Identity Manager driver. The tasks are listed in the recommended order of
completion, but you can change the completion order if necessary.
Table 2-1 Entitlements Checklist
Details
Enable the driver to
support entitlements
The driver must be configured to listen for entitlement events. You enable
the driver by modifying the driver filter to add the DirXML-EntitlementRef
attribute to the User class.
The following drivers are already enabled for entitlements. You do not
need to complete this task for these drivers:
Active Directory
GroupWise
LDAP
Linux and UNIX
Lotus Notes
RACF
®
2
For enablement instructions, see Chapter 3, “Enabling Entitlements on a
Driver,” on page 15.
Create entitlementsEntitlements represent resources in connected systems. When creating an
entitlement, you create it on the driver that is associated with the
connected system where the entitlement’s resource is located.
For instructions, see Chapter 4, “Creating Entitlements,” on page 17.
Create policies to
support the
entitlements
Entitlements are implemented by adding new driver policies or modifying
existing policies.
For instructions, see Chapter 5, “Creating Policies to Support
Entitlements,” on page 27.
Checklist for Implementing Entitlements
13
Details
novdocx (en) 13 May 2009
Set up an entitlement
agent to manage the
entitlements
The entitlement agent is responsible for granting or revoking entitlements
for users. You can use any of the following entitlement agents:
Entitlements Service Driver: Manages entitlements based on
events that occur in the Identity Vault. For instructions, see the
Identity Manager 3.6 Driver for Role-Based Entitlements:
Implementation Guide (http://www.novell.com/documentation/
idm36drivers/entitlements/data/bktitle.html).
User Application Roles-Based Provisioning: Manages
entitlements based on roles that are assigned to users. For
instructions, see the Identity Manager Roles Based Provisioning