Entitlement Design Notes

Support entitlement associations that cross several resources. E.g. an account in resource A may be a member of group in resource B.

This may be useful for several enterprise usecases, e.g. management of several AD domains that have trust relations.

This can be especially useful for Grouper+midPoint integration. In that case Grouper does not really have its own accounts. It works with LDAP accounts. Grouper is managing groups and it adds LDAP account to its own groups.

The benefit for the Grouper case is that changes in group memberships can be interpreted as change of account associations. Therefore this can be (theoretically) processed by inbound mappings, optimized and so on.

We will need to review provisioning code. There are many assumptions that the source/target of an entitlement association is in the same resource. However, it should be feasible to adapt the code.

Another big issue to think of is caching and performance. We will need to figure out a proper mechanisms to cache the association data in the shadows to avoid numerous resource reads.