32
Identity Manager 3.6.1 Driver for Role-Based Entitlements: Implementation Guide
no
vd
ocx
(e
n)
17
Sep
te
m
be
r 20
09
8.2.1 Conflict Overview
The following list describes how conflicts are resolved. For some entitlements, you can change the
conflict resolution.
Entitlements that don’t have values are additive.
In most cases an account entitlement
doesn’t have values. If a user is granted an account on a connected system by any entitlement
policy, the user receives an account on that system. It does not matter whether another
entitlement policy conflicts; the result is additive.
Thismethod of conflict resolution for granting accounts cannot be changed.
For example, if the Manager entitlement policy grants Jean Chandler an Exchange account, but
Jean Chandler is excluded from the Mail Room Employees entitlement policy that also grants
Exchange accounts, Jean still gets an Exchange account.
Entitlements that have values are additive by default, but you can choose to resolve by
priority.
Entitlements, such as group membership, have a list of group names for the values, or
an attribute with a value. By default, these kinds of entitlements are also additive.
You can change the conflict resolution for these kinds of entitlements, if desired.
conflict-resolution=“union”:
A value of “union” means that the entitlements are
additive. A user is granted all the entitlements that he or she is assigned by membership in
any policy. The differing entitlement values are simply added together and the user gets
them all.
For example, if Jameel is a member of the Trade Show Contractors Policy that grants
membership in a GroupWise
®
e-mail distribution list named Trade Show Mailing List,
and he is excluded from membership in the Trade Show Managers Policy that also assigns
the e-mail distribution list named Trade Show Mailing List, he still receives membership
in the e-mail distribution list.
As another example, if Consuela is granted membership in the Active Directory group
named Mailroom Staff by the Mailroom policy, and also granted membership in the
Active Directory group named Emergency Response by the Emergency Volunteers policy,
she is granted membership in both groups in Active Directory.
With this setting, the order of an entitlement policy in the list of policies is not important
for the entitlement.
conflict-resolution=“priority”:
A value of “priority” means that if the values in two
different policies conflict, or if one policy includes the user and another excludes the user,
the entitlements granted to the user are only those in the entitlement policy that is listed
higher in the list of Entitlement policies.
The previous examples would have a different result with this setting.
In the example above for Jameel, if the GroupWise e-mail distribution list entitlement had
a value of “priority,” and the Trade Show Managers Policy was higher in the list than the
Trade Show Contractors Policy, Jameel would not be granted membership in the Trade
Show Mailing List.
In the example above for Consuela, if the Active Directory NOS group membership
entitlement had a value of “priority,” and the Mailroom Policy was higher in the list than
the Emergency Volunteers Policy, Consuela would be granted membership only in the
Mailroom Staff group. She would not be granted membership in the Emergency Response
group because the conflict resolution is by priority, not additive.
