How To Create Custom Entitlements For Micro Focus/NetIQ Identity Manager

Microfocus/NetIQ IDM entitlements implementation has evolved over the years. In this article I would like to describe a process of creating custom entitlements for IDM drivers.

Driver entitlement represents a permission in an application (Active directory, Office 365, LDAP, etc) such as an account, group membership, role or any other type of entitlement or permission that an application is using. When a user is granted an entitlement in IDM, a user attribute DirXML-EntitlementRef is populated with a reference to the IDM driver entitlement and an entitlement value, if available. A driver that owns this entitlement will perform provisioning based on the type of the entitlement – account, group, role, etc.

In the Microfocus/NetIQ role and resource model, the entitlement grant is done through a resource assignment. Microfocus/NetIQ resources contain an entitlement value with a reference to IDM driver that will provision it. 

In addition to default entitlement types such as account, group, role, etc, a new custom entitlement can be created and used to provision a permission in an application. This can be done during the driver creation in the following prompt: 

custom-entitlement-prompt-2

Following values need to be provided to create a custom entitlement:

  • Entitlement name – a name for a custom entitlement
  • Entitlement Assignment attribute – a user attribute that will be populated with the custom entitlement value in the application (optional)
  • CSV File – file that contains entitlement values for the custom entitlements (optional)
  • Mutli-valued? – is the attribute multivalued or not

 

Format of the CSV file with entitlement values should look like this:

Entitlement value, Display Name, Description of the entitlement value

For example:

Entitlement 1, Network permission, Permission for network engineers
Entitlement 2, Accounting permission, Permission for accountants

The above information is stored in a mapping table called  PermissionNameToFile  stored in the driver. This mapping table can be modified with additional custom entitlements if needed. The driver has to be restarted to make the custom entitlements active.

When the driver creation is completed and all the custom entitlements are entered, the driver needs to be deployed and started.

During the startup the driver will examine all the configured entitlements – default or custom – and do the following:

  • Create or update Entitlement object – represents each entitlement configuration – default or custom
  • Create or update PermissionEntMapping mapping table – this mapping table contains the following information about all the default and custom entitlements:
  • Entitlement name
  • Entitlement DN
  • Resource DN – DN of the created resource for the entitlement if Permissions collection and reconciliation is enabled
  • csv file
  • Entitlement assignment attribute
  • Create or update Entitlement_Values object – contains all the entitlement values from the CSV file
  • Create or update EntitlementConfiguration object
  • Schedule PermissionOnboarding job to run – the purpose of this job is:
    • Populate entitlement catalog in User application – code map – with entitlement values from custom entitlements from CSV files
    • Create new resource object in User application for each custom entitlement if Permissions collection and reconciliation is enabled

 

Once the driver entitlement configuration is fully initialized, it is used to query and populate entitlement values in User application so they could be available during the IDM resource creation. User application will use the entitlement object to query for entitlement values from application/connected system. Entitlement object can be further modified in designer to customize the entitlement query. For example, Group entitlement object in Active directory can be customized to query specific subcontainer and search string to search for specific group names: 

<query class-name=”Group” dest-dn=”OU=Groups,DC=Organization,DC=org” scope=”one”>
<search-class class-name=”Group”/>
<search-attr attr-name=”cn”>
<value>Name*</value>
</search-attr>
<read-attr attr-name=”Description”/>
<read-attr attr-name=”CN”/>
</query>

In order to directly modify xml for the entitlement object, use XML Source tab on the entitlement editor.

Once the custom entitlement values are imported into User application entitlement catalog, they can be used to create IDM resources.