I need to make a custom entitlement that needs two pieces of data. But
both pieces are in the IDV and not in the connected system. (It is for
Group membership, but in a silly fashion).

As I work through how I would do this I know of the following issues and
how to fix them:

1) Make a query for at least one piece of data in IDV work.
a) Make the Entitlement defined query very specific. ( I chose domain
object in AD, since no one otherwise cares to ever ask for that)
Intercept the query in the ITP and clone in my results from the real
query I want. (Easy peasey)

2) In my code that implements the entitlement do the math needed to
decide the DN of the target group correctly. (Easy)

3) Define an EntitlementConfiguration object with my entitlements.
Though looking at the LDAP trace coming out of UA, I am thinking that
the magic name 'entitlementConfiguration' may not be required, and only
a DirXML-Resource object, with a DirXML-ContentType of

Testing now to see if that suffices, but I think it might just!

So this makes me think I can:
Make a Resource in UA, select my custom Entitlement, and see a list of
values I want in the payload of the entitlement, based on data in the IDV.

So far so good.

But will I break Reporting on this entitlement?

As I look at the EntitlementConfiguration examples in the AD driver and
in the incomplete DTD example in the docs:

And the actually step backwards in the 4.5 docs:

I wonder if a Reporting query, trying to validate that the users with
this entitlement are really members of the appropriate group will work.

Anyone have a sample handy of what a query Reporting would inject would
look like?

Anyone tried this before?