Entitlement expiration

Entitlement expiration is a crucial tool in modern identity management.

Setting an expiry date on the validity of certain relationships forces people to take action to extends their privileges.

For identities that left the company for example, and where processes fail to clean up assigned privileges, expiration is a golden tool.

Of course it leads to a certain discomfort because it generates some extra actions.

Notifications are crucial in this case.

Therefore there is a entitlement expiration scheduler that can be configured for notifying identities and/or organisation administrators at certain predefined timestamps before entitlement expiration.

Two flavours of the EntitlementExpirationScheduler are configurable. One where the identities of which the entitlements are going expire, are notified. And one where the organisation administrators are notified.

A sample configuration can be found in the schedulers section under the system tab.

Following configuration notifies identities of their expiring entitlements, 10 days and one day up front. But not for the entitlement ADMIN and not when the identities have expiring entitlements for organisation AAA

{
    "type" : "IDENTITY", 
    "notificationInterval" : "10,1", 
    "entitlementInclusionFilter" : "*", 
    "entitlementExclusionFilter" : "ADMIN", 
    "organisationInclusionFilter" : "*", 
    "organisationExclusionFilter" : "AAA"
}

Following configuration notifies organisation administrators of identities with expiring entitlements, 10 days and one day up front. But not for the entitlement ADMIN.

{
    "type" : "ADMIN_ORG", 
    "notificationInterval" : "10,1", 
    "entitlementInclusionFilter" : "*", 
    "entitlementExclusionFilter" : "ADMIN"
}