DirXML Entitlements [1]#
Conceptually, DirXML Entitlements is a named flag that causes a DirXML driver configuration to perform some arbitrary action that is usually related to granting access to some resource in a connected system. Entitlements (as embodied in Role-based Entitlements) have thus far been used for three basic actions:- Creating and deleting or enabling and disabling a connected-system account
- adding/removing connected-system accounts group memberships
- adding/setting attribute values to connected-system accounts
DirXML-Entitlement ObjectClass#
An entitlement is embodied in an eDirectory DirXML-Entitlement ObjectClass, which is contained by a DirXML-Driver object. The containment of the DirXML-Entitlement ObjectClass establishes the correspondence between the entitlement and the implementing DirXML driver configuration. The DirXML-Entitlement object's name is the name of the entitlement.The XmlData attribute of the DirXML-Entitlement ObjectClass contains an XML document whose root element is <entitlement>. We have some more detailed information on how the XML structure is defined.
Granting and Revoking Entitlement (DirXML-EntitlementRef)#
An entitlement is granted to and revoked from an eDirectory entry via the addition a value for the DirXML-EntitlementRef attribute which is associated with the auxiliary class DirXML-EntitlementRecipient on an eDirectory entry.The DirXML-EntitlementRef attribute is of SYN_PATH syntax and is write-managed.
Volume Element#
The "volume" (or DN) portion of the path syntax value refers to the DirXML-Entitlement object. Because the attribute is write-managed, the agent setting the DirXML-EntitlementRef attribute value on an eDirectory object must have write access to the DirXML-EntitlementRef attribute on the object that is being written to and must also have write access to the ACL attribute on the DirXML-Entitlement object that is referred to by the DN portion of the DirXML-EntitlementRef value.Path Element#
The "path" (or string) portion of the DirXML-EntitlementRef attribute contains an XML document whose root element is <ref>.namespace Element#
The "namespace" (or integer) portion of the DirXML-EntitlementRef attribute is used as a bitmask to hold a set of flags. Bit 0 of the 32-bit integer is used for this flag value and is known as the state bit where:- 0 means revoked
- 1 means granted
Bit 1 is used to flag a granted entitlement that is the result of the upgrade process and is known as the upgrade bit where:
- 1 means that the entitlement was previously granted in the legacy format and is therefore not a change in the entitlement state.
Bits 2-31 are reserved for future use.
DirXML-EntitlementResult attribute#
After the entitlement action (grant or revocation) has been completed (successfully or not) by the DirXML driver configuration, a result is written to the eDirectory object using the DirXML-EntitlementResult attribute. DirXML-EntitlementResult is a multi-valued SYN_OCTET_STRING containing an XML document whose root element is <result>.Implementing Novell Entitlements in a Driver#
Some information on Implementing Novell Entitlements in a DriverRemoving Novell Granted Entitlements#
We did some work where it was desired to "revoke" all granted" entitlements when various events took place on a user.Entitlements and romResources#
DirXML Entitlements are often encapsulates within a romResource for convenience.More Information#
There might be more information for this subject on one of the following:- Description of Attribute Usage For 2.16.840.1.113719.1.14.4.1.2088
- Description-2.16.840.1.113719.1.14.6.1.2024
- DirXML
- DirXML Entitlements
- DirXML-Entitlement
- DirXML-EntitlementRef
- Entitlement Granting Agent Types
- Implementing Novell Entitlements in a Driver
- Provisioning Request Definitions
- Removing Novell Granted Entitlements
- RomResource
[#1] http://developer.novell.com/documentation/dirxml/dirxmlbk/ref/dirxmlentitlements/index.html
