Shaping the Entitlement Profile - A Reporting and Auditing Active Roles Best Practice (4379324)

A common concern in Active Directory environments is reporting on who has access to what resource, and how that access is granted.

The Entitlement Profile feature within Active Roles is an excellent tool to meet that need.

Properly leveraging the Entitlement Profile can assist with organization, reporting, audits, and can help catch outliers or incorrect entitlements.

An Entitlement Profile is a list of the resources granted to or assigned to an Active Directory account.

In the Active Roles Console and the Active Roles Web Interface, the Entitlement Profile can be found on the Managed Resources tab of an object.

In the Active Roles Web Interface, the Entitlement Profile can be found under the Entitlement Profile command on an object.

The entitlement profile is stored in the edsvaOneViewReportXML (Entitlement Profile Report XML) attribute

Access to the Entitlement Profile can be delegated using the following Access Template:

Configuration/Access Templates/Active Directory/Advanced/Users - View Entitlement Profile (Extended Right)

Active Roles includes a number of Entitlement Profile Specifiers out-of-the-box. These are located here:

Configuration/Server Configuration/Entitlement Profile Specifiers/Builtin

The Built-in entitlement profile specifiers can be copied or new specifiers can be created if desired.

A custom Entitlement Profile Specifier can be used to highlight an important Active Directory Role Group or the Active Roles Admin Role Group, or to document entitlements that are not based on membership in an Active Directory Security Group.

For example: Assuming that the Active Roles Admin Role Group is a security group, it will show in the Entitlement Profile of any account that is a member of the group. However, it will just be one group among many, and may not be easy to find:

Creating a custom Entitlement Profile Specifier with a higher priority will highlight this entitlement with the appropriate importance.

1. In the Active Roles Console, as an Active Roles Admin, navigate to Configuration/Server Configuration/Entitlement Profile Specifiers
2. Choose New | Entitlement Profile Specifier
3. Name the specifier then click Next
4. Select Group Membership | Next | Include
5. Find and select the Active Roles Admin Role Group then click Next
6. Set a custom icon if desired. Set the desired display name, such as "Active Roles Admin Role Group", the attribute containing the name of the resource, and the priority of the specifier (the default priority is 999999, lower priority wins), then click Next
7. Optionally, add additional attributes that will be displayed in the Entitlement Profile, such as the Manager or Description of the group, then click Next | Finish

Since entitlements are generated when requested, there is no need to restart the Active Roles Administration Service or log out of the Active Roles Web Interface.

The Entitlement Profile for the same user now appropriately highlights this priority entitlement: