Entitlement Catalog
Note: The terms "account group" and "application object" are use interchangeably in this document but have the same meaning. Some applications can have multiple application objects. An account group can be the name of one of those objects.
Use the Entitlement Catalog page to view and manage all of your managed attributes including entitlements, account groups / application objects, and permissions.
Managed attributes can be specific to one application or shared among multiple applications of the same type. Managed attributes can also be defined in multiple languages.
A managed attribute is the value of an account attribute that has been promoted to a first-class object in the IdentityIQ database so the system can track other data related to these attributes, such as a description or an owner. Any attribute can become managed, but the most common attribute to be managed is one holding group memberships.
What Is Included in the Entitlement Catalog
The Entitlement Catalog lists the managed attributed in your IdentityIQ instance. A managed attribute is indicated by checking the Managed box for the attribute, in the account schema on the Application Definition page.
As accounts are aggregated, IdentityIQ detects the values for each managed attribute and promotes these to ManagedAttribute objects. For example, if Location is managed, and you aggregate three accounts with locations Austin, Dallas, and Houston, there will be three ManagedAttribute objects for those values. If the attribute is multi-valued, such as groups or memberOf, IdentityIQ creates one ManagedAttribute for each value in the list.
The expectation is that most of the attributes that are managed are entitlement attributes, which usually means a group attribute. Because of this, the language in the product is oriented around the word entitlement. For example, we refer to "managing entitlements" and the "Entitlement Catalog." It is possible, however, to have managed attributes that are not entitlements, but it is unusual.
Managed attributes that are also groups have additional features. If the connector supports group aggregation, IdentityIQ can import the definitions of those groups and store them in the ManagedAttribute object. Managed attributes for groups have editable tabs that contain the definition of the group that can, optionally, be used for provisioning. If a groups managed attribute is available for provisioning, any change made on the Object Properties tab is sent to a connector to modify the target application.
Note: The additional Object Properties tab is only available if Lifecycle Manager is installed and the Enable Account Group Management options was selected during Lifecycle Manager configuration. See the Lifecycle Manager
Requestable Attributes
When Lifecycle Manager is enabled, items in the Entitlement Catalog can be flagged as Requestable by checking the Requestable option in the item's standard properties. The Entitlement Catalog shows a check icon in this Requestable column for all attributes that can be requested. See Standard Properties Tab.