IDM 4.7 workflow questions

Good morning,

just two questions if it is possible:

- The resources and entitlements sould be on-to one relationship as best practise?

- The use of remote loader we can say that can improve performance of the metadirectory engine offloading driver commands to the machine running the remote application?

  • Dirxml-Entitlement objects are great. One object can take a parameter and represent thousands of remote 'things'. (Groups? Exchange roles? Roles? something in the remote system).

    Resources represent one of those thousand things downstream.  That is, they contain the parameter, to pass to the entitlement ina  form that Roles can consume.


    The RL runs in its own Java memory space. So running a driver in a RL on the engine server is actually a useful idea.  Since it is in its own memory/process space, it can run on different CPU's and consume its own memory distinct from the engine.

    So yes performance is one reason. Another is that perhaps you have a DMZ with public internet access allowed, so the RL can talk out to a host outside, and then only talk to the engine through the single defined SSL secured port.  So Secuiry is another consideration.


  • Thanks a lot for your complete information.

    So talking about static entitlements assigned to a resource in an User application, we could say that there is no limit to static entitlements and we could add as we want?

    For RL , I see that the performance improves and  helps a lot with the function of offloading.


  • Entitlements support

    • No value (sort of, easier to set a default value than null)
    • Admin defined values
    • Query based values

    Query based values query the remote system (But I have succesfully redirected this multiple times to query IDV or have a Job do the work, store it, then redirect the query to where it is stored.

    So every nrfResource object with an Enttlement assignemnet  gets an nrfEntitlementRef (path syntax) that is basically the value of the DirXML-EntitlemenRef that would be delivered to a user.

    So Resources assigned a static Entitlement is sort of not that meaningful a term.    The idea of a Resource is to take the single Entitlement object and allow multiple different assignments through static objects.




  • Hi I just tell you the same doubt about entitlement...

    Because I'm making the knowledge test and this is one question that is making me crazy...

    Is this one:

    - As a best practise how many static entitlements should be assigned to resource in the user application?

    a) There is no limit to static entitlements, you can add ass many as you want

    b) Static resources should be kept to 20 static assignments or fewer

    c) Static resources should be kept to 10 static assignments or fewer

    d) Resources and entitlements should be one-to-one relationship. You need to use roles to assigning multiple values.

    Thanks a lot!
  • It is a stupid question.  (Sadly, I have a very low opinion of the quality of the testt questions in current use... In the old days, you could take a Beta test, and I did every one I could for 5-10 years) and they let you write comments on questions...  I never once got feedback, even when I wrote long explanations of why this question was incorrect, misleading, or just not well written.  I asked a friend who reviewed the tests years later if he ever saw any of the comments and he never did. So thanks gang for nothing.  I have earned my opinion on the quality problem).

    I would argue they want D.  But I am not entirely sure.  What is worse, in 4.7.x and lower you could assign two entitlement values to a resource, but I think they changed it to one in 4.8.

  • Yes is completely agree. Is so hard just making the test with no beta testing and take a knowledge with some video lessons....
    I'm new in IDM and I can't argue with my colleagues on it also.
    So talking about test on IDM 4.7 version we could say need to be one to one entitlement- resource as best practise?
  • Yes, option D is probably what they want.