We migrated some time ago from IDM & RBPM 3.6.1 to 4.0.2.
All drivers have been updated to support resources, and all the new
roles we are creating are using the new resource model.

But we still have some roles which have direct Entitlement Associations
(Designer tells me the ability will be deprecated and also the UA only
lets me remove Entitlements from roles)

So I wanted that these roles also use Resources and I thought this would
be pretty straightforward: add the resources with the same Entitlement
and then remove the direct Entitlement association.

But this revokes the Entitlement from the User:

Here the steps:
User is assigned to a role with direct entitlement association, value of

cn=Accounts,cn=ADDriver,cn=IAM Driver Set,ou=RESOURCES,o=SYSTEM

I add a Resource to the role with the same Entitlement, the Resource
gets added to the users whoch have the role, no changes to the
EntitlementRef attribute:

cn=Accounts,cn=ADDriver,cn=IAM Driver Set,ou=RESOURCES,o=SYSTEM

I delete the direct Entitlement association from the role:
The role driver is Recalculating roles for identity: XY

cn=Accounts,cn=ADDriver,cn=IAM Driver Set,ou=RESOURCES,o=SYSTEM

The Entitlement gets revoked.
Now we are in a strange situation. The user still has the Role (and
Resource) assigned but the Entitlement is revoked.
Shouldnt the role & resource driver notice that the user has an
resource with the same Entitlement and not revoke the Entitlement?

If I delete first the Entitlement and then grant the Resource it works
(but the Entitlement first gets revoked and then reassigned later when
we add the resource), the DirXML-EntitlementRef attribute also looks

cn=Accounts,cn=ADDriver,cn=IAM Driver Set,ou=RESOURCES,o=SYSTEM#1#<?xml
version="1.0" encoding="UTF-8"?><ref>

So is there an official procedure to migrate roles from entitlements to

The second solution is working but cannot be done in a production
environment (imagine Entitlements like AD Account, all user would be
deleted an recreated)

Kind Regards,

nickleloup's Profile: https://forums.netiq.com/member.php?userid=5862
View this thread: https://forums.netiq.com/showthread.php?t=51286