We have some custom attributes in each user which defines if he is going
to have AD and exchange accounts.
But according to business rules, we can manually request that a user
have an AD account even if do not match the criteria.
Ad driver is using Entitlements for provisioning.

Today we use Entitlement Policies to include the Entitlements according
to attribute values;
We also have some dynamic groups based in the same attributes;
So we could create a role+resource+entitlement for AD and Exchange
accounts, and assign the role to corresponding dynamic groups;

My question is: which of these should be considered as the best

In my point of view, I prefer the role+resource+entitlement solution,
because we can automate the provisioning in drivers, if needed, using a
simple Add Role verb. but we don't have a verb for adding an
Entitlement. We also can make date constrained assignments, which are
not possible using direct Entitlements (but this is not a requirement
But I am not sure about the impact of this change. Which of the options
is best, when we consider performance, loading, and maintainability?

jluizberg's Profile: https://forums.netiq.com/member.php?userid=2003
View this thread: https://forums.netiq.com/showthread.php?t=48489