Creating Entitlement Policies
25
no
vd
ocx
(e
n)
17
Sep
te
m
be
r 20
09
By default, the criteria include all User class objects (and objects of classes derived from the
User class) within the search scope.
If you create a new object class derived from User, an existing entitlement policy does not
recognize that class until you make a modification to the entitlement policy. This prevents users
of a new class from being granted entitlements unintentionally. When any modification is made
to the entitlement policy, the list of user-derived classes for that policy is updated.
7
After you have added the criteria you want, click
Test Filter
to view the list or users who meet
the criteria.
8
On the
Step 3 of 6: Define Static Members
page, fill in the fields:
Static membership lets you include users who don’t meet the dynamic membership criteria or
exclude users who meet the criteria but should not be members of the policy.
Include Members:
Type the DN of a user you want to include, or click to browse for and
select the user, then press Enter to add the user to the inclusion list. To remove a user from the
inclusion list, select the user and press Delete. To edit a user name, double-click the user.
Exclude Members:
Type the DN of a user you want to exclude, or click to browse for and
select the user, then press Enter to add the user to the exclusion list. To remove a user from the
exclusion list, select the user and press Delete. To edit a user name, double-click the user.
9
On the
Step 4 of 6: Select Entitlements on the Connected Systems to Grant to Users
page, add
the entitlements you want associated with the policy. To do so:
9a
Click
Add Driver
to display a list of drivers with entitlements.
9b
Select the driver with the entitlement you want to add, then click
Add
to display a list of
the driver’s entitlements.
9c
Select the entitlement you want to add, then click
Add
.
9d
If the entitlement requires you to set a value, click to add the value.
or
If the entitlement requires a query to display the appropriate values (for example, a query
for the groups in the connected system), run the query and select the appropriate value.
You can choose an external query, which runs a new query of the connected system, or
you can choose a cached query, which simply displays the results of the last query that ran.
9e
To add another entitlement from the same driver, click the icon located on the same
line as the driver name.
9f
To add an entitlement from another driver, repeat
Step 9a
through
Step 9d
.
10
On the
Step 5 of 6: Assign Rights to Objects
page, add the Identity Vault objects for which you
want the entitlement policy to be a trustee.
Each member of the policy becomes a trustee of the objects you add. There are several reasons
why you might want to make the policy a trustee of an object:
One of the policy’s entitlements requires the policy’s members to have rights to an object.
You want to use the policy to assign users as trustees of an object even though rights to the
object are not required for an entitlement. In this case, you are using the entitlement policy
to grant and revoke trustee rights for members of the policy.
Trustee rights are assigned to the policy’s members as soon as you click
Next
to leave this page.
Use the following options to manage the trustee assignments:
