I added a new CONNECTOR_SCHEMA named AdminAccess to get a 4th entitlement type created on the AD source, with minimal config:
{
"nativeObjectType": "AdminAccess",
"identityAttribute": "extensionAttribute1",
"displayAttribute": "extensionAttribute1",
"hierarchyAttribute": null,
"includePermissions": false,
"features": [],
"configuration": {},
"attributes": [
{
"name": "extensionAttribute1",
"type": "STRING",
"schema": null,
"description": "extensionAttribute1",
"isMulti": false,
"isEntitlement": true,
"isGroup": false
}
],
"name": "AdminAccess"
}
I then set extensionAttribute1 as an entitlement in the AD schema, with entitlement type AdminAccess.
When the accounts and entitlements are aggregated, it is assigning the Entitlement definition value to the AD DN of the user who has that value. So we get an entitlement of ‘10’ with value DN=Bob,OU=…. and entitlement of ‘20’ with value DN=Jane,OU=….. in the entitlements list. Much like what you would see with the group DN as the value if it were AD groups.
Unfortunately I’m kind of guessing here how this is possible to achieve.