Controlling the Meaning of Granting or Revoking Entitlements627novdocx (en) 17 September 20096Controlling the Meaning ofGranting or Revoking EntitlementsYou can control the consequences of granting or revoking an entitlement. Each driver provides a listof supported choices that control the meaning of “grant” or “revoke.”For example, when adding a GroupWise ® account, you can specify that grant actually means togrant the user an account in a disabled state, so that the administrator must intervene before the usercan access the account. Or, you could choose to enable the account, which is the default.By default, the driver configurations use the option that is most likely to preserve data. For example,the default meaning of “remove” for a GroupWise account is set to “disable,” to avoidunintentionally losing accounts if a mistake is made when the administrator is making changes topolicies. As another example, the Identity Manager driver configurations don’t revoke entitlementsthat have values from a user account in another system. If a user is granted membership in an e-maildistribution list, then later the user no longer meets the criteria for the entitlement policy, he or she issimply dropped from the policy membership. Accounts are disabled, but group membership andattribute values are not removed. An Identity Manager expert can customize the driverconfigurations if you want a different result.The interpretation of revoking an entitlement is especially important because Role-BasedEntitlements functionality gives you the ability to make sweeping changes in an organization’sentitlements in a production environment, without testing the results in a lab.You can change the settings for interpreting grant or revoke by editing the Global ConfigurationVariables on a preconfigured driver. If you are creating your own custom configuration, you couldadd GCVs to interpret granting and revoking entitlements.