-
Notifications
You must be signed in to change notification settings - Fork 0
Understanding Entitlements
All Entitlements are cumulative, such that a user may simultaneously have two entitlements of the same type (example: employee wifi and student wifi). In such a case, the higher of the two entitlements should be enforced by the provisioning system, though this lies outside the scope of the IAMBing system. (example: employee wifi)
Via IAMBing, there are two mechanisms for manually adding and removing entitlements:
In this situation, an existing auto-calculated entitlement may be manually removed from a particular user OR an entirely new entitlement may be manually added to a particular user. Note: This functionality is recommended to be used only sparingly, and only for uncommon 1-off situations where it may not make sense to use the second mechanism as spelled out below
In common situations where it is expected and anticipated that users will request to be granted additional entitlements (above and beyond their auto-provisioned entitlements), a "Group" should be created specifically for this particular population of users. For example, it would be appropriate to create a group called "Students with Employee VPN", which will have extra Employee VPN Permissions, and be populated exclusively with students who have been approved to gain access to the Employee VPN network.
In both situations, the overridden entitlement will continue to be enforced indefinitely, until such a time that the override is remove and/or the user is manually removed from the additional group. Consequently, it is highly encouraged that process be established for regular and ongoing reviews of manually provisioned entitlements.