I am interested in defining values of an AD attribute to be entitlements, for the purpose of access certification campaigns. As the UI for the AD source does not allow for adding Entitlement types, I’m curious if there are other safe technical ways to achieve this.
My example scenario:
AD attribute extensionAttribtue1 can have predefined possible values of 10, 20, and 30.
I would like for 10, 20, and 30 to show as entitlements on the Entitlements list of the AD source.
I attempted to set extensionAttribute1 as an entitlement in the AD schema, but without an Entitlement Type to define with it, it doesn’t work. Even if all the 3 values are assigned to different AD accounts, only one value showed up in the entitlements.
Essentially you’ve answered your own question - You need to create an entitlement type for it. It’s not available in the UI, but should be able to be done via the API or VSCode extension.
I just did this with the iSeries direct connector, that is, converting an account attribute to an entitlement. It also doesn’t allow for entitlement type creation via the UI, so I created one in VSCode
I then set extensionAttribute1 as an entitlement in the AD schema, with entitlement type AdminAccess.
When the accounts and entitlements are aggregated, it is assigning the Entitlement definition value to the AD DN of the user who has that value. So we get an entitlement of ‘10’ with value DN=Bob,OU=…. and entitlement of ‘20’ with value DN=Jane,OU=….. in the entitlements list. Much like what you would see with the group DN as the value if it were AD groups.
Unfortunately I’m kind of guessing here how this is possible to achieve.
I don’t believe you’d do an entitlement aggregation for this new entitlement type.
If you create this new type and do an account aggregation, the resulting entitlements created should essentially be a unique list of values across all accounts depending on what they have in that field.
You might also try changing nativeObjectType to “group”. That’s what I did when I created a custom entitlement type