- Define roles as sets of entitlements.
- Define rules that assign roles based on identity attributes.
- Calculate roles for each user.
- Predict entitlements for users based on roles.
- Compare predicted with actual entitlements.
- Automatically submit workflow requests to make 'actual' match 'predicted.'
- Activate the enforcement process gradually:
- Per-user, per-role, per-entitlement
- Control pace of requests that are automatically submitted to correct entitlements.