Summary
IdLE needs first-class support for managing entitlements (access assignments) such as group memberships, licenses, and app roles. This issue introduces a generic entitlement model and provider operations to list, grant, and revoke entitlements for an identity, plus a built-in step to ensure desired state (present/absent).
Why
Most Joiner/Mover/Leaver automation is about access (entitlements), not only identity attributes. Without entitlement handling, IdLE cannot model realistic workflows.
Dependency
Depends on #42 (capability advertisement + capability-based contracts/validation).
Scope
Provider Capabilities / Operations
Providers that support entitlements MUST advertise and implement:
- IdLE.Entitlement.List — list all entitlement assignments for a given identity
- IdLE.Entitlement.Grant — assign an entitlement to an identity
- IdLE.Entitlement.Revoke — remove an entitlement from an identity
Important: List is defined as “assignments for an identity”, not “list all existing groups/licenses in the system”.
Domain Model
Introduce a minimal entitlement representation (strings-first):
- Kind (string): recommended values Group, License, AppRole (namespaced custom kinds allowed)
- Id (string): provider-specific identifier (GUID, name, SKU, etc.)
- optional DisplayName (for reporting only)
- Equality: Kind + Id (case-insensitive compare for Id by default).
Built-in Step
Add a batteries-included step:
- EnsureEntitlement -State Present|Absent
Semantics:
- Present: if not assigned → Grant, else → Skipped
- Absent: if assigned → Revoke, else → Skipped
Required capabilities:
- always IdLE.Entitlement.List
- plus Grant or Revoke depending on State
Error Behavior
Entitlement.List for a non-existent identity MUST fail with a clear error (do not return an empty list), to avoid incorrect “ensure present” behavior.
Non-Goals (Out of Scope)
- Listing all possible entitlement definitions (e.g., all groups/licenses in a tenant)
- Entitlement “definition lookup/read details”
- Provider-specific advanced scenarios (PIM, CA policies, etc.)
- Rollback/compensation (handled separately)
Acceptance Criteria
Notes
This issue is intentionally limited to identity entitlement assignments to keep scope small and deliver real workflow value quickly.
Summary
IdLE needs first-class support for managing entitlements (access assignments) such as group memberships, licenses, and app roles. This issue introduces a generic entitlement model and provider operations to list, grant, and revoke entitlements for an identity, plus a built-in step to ensure desired state (present/absent).
Why
Most Joiner/Mover/Leaver automation is about access (entitlements), not only identity attributes. Without entitlement handling, IdLE cannot model realistic workflows.
Dependency
Depends on #42 (capability advertisement + capability-based contracts/validation).
Scope
Provider Capabilities / Operations
Providers that support entitlements MUST advertise and implement:
Important: List is defined as “assignments for an identity”, not “list all existing groups/licenses in the system”.
Domain Model
Introduce a minimal entitlement representation (strings-first):
Built-in Step
Add a batteries-included step:
Semantics:
Required capabilities:
Error Behavior
Entitlement.List for a non-existent identity MUST fail with a clear error (do not return an empty list), to avoid incorrect “ensure present” behavior.
Non-Goals (Out of Scope)
Acceptance Criteria
Notes
This issue is intentionally limited to identity entitlement assignments to keep scope small and deliver real workflow value quickly.