It can definitely do this.
I would suggest putting a resource object between the entitlement and the role.
Resources are the new model.

As far as the implementation of the entitlement we need to see a level three trace of the issue.
This might also do better in the user app thread.

On 7/12/2012 3:56 AM, abergvall wrote:
> Hi,
> IDM401
> I've been reading and trying to get the following scenario working:
> Tree1:
> UA RBPM with roles
> eDir driver to tree2 where I have loads of groups that I want to be
> able to add to my roles via entitlements (don't want to have all theese
> groups in tree1)
> In designer I can add the etitlement to a role, the query for it works
> I get the list of groups ok.
> The role can be assigned to a user, which gets the
> dirxml-entitlementRef attribute with some values.
> edir driver in tree1 send this off to tree2 (focusing on ADD right
> now). In create rule on tree2 driver I have a rule that checks for group
> entitlement, like in the AD driver, but if fails with a "query lacks
> assoc" then skips it.
> I don't want to use Admin provided values for the entitlements since
> that will impose administrative burden to keep the list correct.
> I have set up sync of the entitlement itself to get rid of the warnings
> in the trace.
> Will it work with query based entitlements? Seems like I miss somehting
> here. I also can't trigger on modify operation with "entitlement
> changing"
> of dirxml-entitlementRef attribute... Seems like the eDir driver isn't
> really ment to do things like this. I do hope I'm wrong though.
> Any thoughts?
> br
> /Anders