In Active Roles, entitlement profile specifiers provide the ability to store the definition of entitlement to a particular resource in a single object. entitlement profile specifiers determine the contents of the entitlement profile.
When building the entitlement profile of a given user, Active Roles uses the entitlement profile specifiers to determine what resources the user is entitled to, and what information about each resource is to be shown in the entitlement profile.
Active Roles comes with a collection of pre-defined specifiers, and allows administrators to create additional specifiers or change existing specifiers. You can use the following instructions to create or change entitlement profile specifiers:
For a list of pre-defined specifiers, see Pre-defined specifiers.
Active Roles stores entitlement profile specifiers in the Entitlement Profile Specifiers container. You can access that container by expanding the Configuration/Server Configuration branch in the Active Roles console tree.
To create an entitlement profile specifier
For example, if you want to create a new specifier in the root container, right-click Entitlement Profile Specifiers.
The name and description are used to identify the specifier object in the Active Roles console.
In this step, you define the criteria that are used to determine whether a given user is entitled to the resource. The entitlement rules take the form of conditions that the entitlement target object must meet in order for the user to be regarded as entitled to the resource, and thus for information about the resource to appear in the entitlement profile of that user.
Active Roles evaluates the entitlement rules against the entitlement target object when building a user’s entitlement profile. Depending on the entitlement type, the entitlement target object is:
Once the entitlement target object matches a rule of a particular type, the rule types that stand lower in this list are not applied. This means that exclusion rules take precedence over inclusion rules and explicit selection of objects takes precedence over filter-based rules.
Initially, no entitlement rules are configured, which is treated as an inclusion-type condition that evaluates to TRUE for any object. As a result, entitlement to the resource is established regardless of the properties of the entitlement target object. You can add entitlement rules in order to categorize entitlements based on properties of entitlement target objects.
To add an entitlement rule, click Include or Exclude depending on the rule type you want, and then use the Configure Entitlement Rule dialog box to specify your search criteria. You can specify search criteria the same way you do when using the Find dialog box. Then, do one of the following:
The resource type icon, display name, and naming attribute are used to identify the resource in the entitlement profile. If the evaluation of the entitlement rules for a given user indicates that the user is entitled to the resource, then information about the resource appears as a separate section in the entitlement profile of that user. The heading of the section includes the resource type icon, the display name of the resource type, and the value of the naming attribute retrieved from the entitlement target object.
The attributes held in the list will be displayed in the entitlement profile, beneath the heading of the section that provides information about the resource. For each of the listed attributes, the section displays the name and the value of the attribute retrieved from the entitlement target object.
You can change an existing entitlement profile specifier by changing the specifier’s name and description, entitlement type and rules, resource display settings, and resource attributes list. The entitlement profile specifier objects are located under Configuration/Server Configuration/Entitlement Profile Specifiers in the Active Roles console.
The following table summarizes the changes you can make to an existing entitlement profile specifier object, assuming that you have found the object in the Active Roles console. You can also disable or delete a specifier using the Disable or Delete command on the Action menu. Active Roles disregards the disabled specifiers when building the entitlement profile. A disabled specifier can be re-enabled by using the Enable command that appears on the Action menu for disabled specifiers.
To change |
Do this |
Commentary |
Name |
Right-click the object and click Rename. |
The name is used to identify the object, and must be unique among the objects held in the same container. |
Description |
Right-click the object, click Properties and make the necessary changes on the General tab. |
The description is intended to help Active Roles administrators identify the purpose and the function of the object. |
Entitlement type |
Right-click the object, click Properties, click the Type tab, and then select the appropriate option. |
The entitlement type specifies how the user is entitled to the resource. You can choose whether the user is entitled to the resource by means of:
|
Entitlement rules |
Right-click the object, click Properties, click the Rules tab, and then add, remove, or modify entitlement rules by using the buttons below the rules list. |
The entitlement rules are used to determine whether a given user is entitled to the resource. The entitlement rules take the form of conditions that the entitlement target object must meet in order for the user to be regarded as entitled to the resource, and thus for information about the resource to appear in the entitlement profile of that user. To add or change an entitlement rule, click Include or Exclude depending on the rule type you want, or click View/Edit, and then use the Configure Entitlement Rule dialog box to specify rule conditions. You can do this the same way you use the Find dialog box to configure and run a search. Note that you can change only filter-based rules. If you select an explicit inclusion or exclusion rule the View/Edit button is unavailable. You can use the Remove button to remove a rule of any type. For more information, see Step 6 in Creating entitlement profile specifiers. |
Resource display settings |
Right-click the object, click Properties, click the Display tab, and then view or change the icon and display name of the resource type, and the resource naming attribute. |
The resource type icon, display name, and naming attribute are used to identify the resource in the entitlement profile. If the evaluation of the entitlement rules for a given user indicates that the user is entitled to the resource, then information about the resource appears as a separate section in the entitlement profile of that user. The heading of the section includes the resource type icon, the display name of the resource type, and the value of the naming attribute retrieved from the entitlement target object. |
Resource attributes list |
Right-click the object, click Properties, click the Attributes tab, and then add, remove, or change the order of attributes by using the buttons below the attributes list. |
The tab lists the attributes of the entitlement target object that will be displayed in the entitlement profile, beneath the heading of the section that provides information about the resource. For each of the listed attributes, the section displays the name and the value of the attribute retrieved from the entitlement target object. |
Active Roles comes with a collection of pre-defined specifiers that determine the default resource profile configuration. The pre-defined specifiers are located in the Configuration/Server Configuration/Entitlement Profile Specifiers/Builtin container, and can be administered using the Active Roles console. You can make changes to a pre-defined specifier (see Changing entitlement profile specifiers) or you can apply the Disable command for the specifier to have no effect. Note that pre-defined specifiers cannot be deleted.
The pre-defined specifiers have a lower priority than customer-created specifiers. This means the entitlement rules of customer-created specifiers are evaluated first, so that if a given entitlement target object matches the entitlement rules of both a pre-defined specifier and a customer-created specifier, the latter specifier is applied. The priority of specifiers is governed by the edsaPriority attribute setting (see About entitlement profile build process).
The following table provides information about the pre-defined specifiers. For each specifier, the table lists the specifier’s name, description, entitlement type and rules, and resource display settings.
Name and Description |
Type and Rules |
Resource Display Settings |
Name: Description: |
Type: Rules: |
Resource type name: Resource naming attribute: Other resource-related attributes:
|
Name: Description: |
Type: Rules: |
Resource type name: Resource naming attribute: Other resource-related attributes:
|
Name: Description: |
Type: Rules: |
Resource type name: Resource naming attribute: Other resource-related attributes:
|
Name: Description: |
Type: Rules: |
Resource type name: Resource naming attribute: Other resource-related attributes:
|
Name: Description: |
Type: Rules: This specifier has the lowest priority as per the edsaPriority attribute setting, so the entitlement rules of any other specifier of the shared resource entitlement type are evaluated prior to the rules of this specifier. |
Resource type name: Resource naming attribute: Other resource-related attributes:
|
Name: Description: |
Type: Rules: |
Resource type name: Resource naming attribute: Other resource-related attributes:
|
Name: Description: |
Type: Rules: |
Resource type name: Resource naming attribute: Other resource-related attributes:
|
Name: Description: |
Type: Rules: |
Resource type name: Resource naming attribute: Other resource-related attributes:
|
Name: Description: |
Type: Rules: |
Resource type name: Resource naming attribute: Other resource-related attributes:
|
Name: Description: |
Type: Rules: |
Resource type name: Resource naming attribute: Other resource-related attributes:
|
Name: Description: |
Type: Rules: |
Resource type name: Resource naming attribute: Other resource-related attributes:
|
Name: Description: |
Type: Rules: This specifier has the lowest priority as per the edsaPriority attribute setting, so the entitlement rules of any other specifier of the managed resource entitlement type are evaluated prior to the rules of this specifier. |
Resource type name: Resource naming attribute: Other resource-related attributes:
|
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy