Take the following scenario.

You have a query based valued Entitlement for a connected system -
we'll take the AD driver as an example as it implements code to support
granting group membership in AD by entitlement.

This works great for granting and revoking AD group membership from the
IDM side, however IDM does nothing to prevent an AD admin from messing
with the rights granted/revoked via this entitlement.

There are no associated groups in the IDVault, so the publisher reset
option won't work.

Coding something to achieve the same result as publisher reset by
checking assigned/revoked entitlements feels somewhat inefficent (and

Has anyone worked with this or come up with a good solution?