A method and system for dynamic assignment of entitlements is provided. A trigger is received from an identity store. A membership generator generates a list of members from user objects stored in the identity store. The generated list is compared against a previously generated list for changes. The changes are placed into an attribute modify specification, an entitlement grant specification, and an entitlement revoked specification. Using these specifications, a policy decision module routes the changes to policy enforcement modules. The policy enforcement modules implement the changes to entitlements.