Warning: The dynamic membership criteria refers to attributes that are not in the filter

When attempting to re-start the Entitlements Service Driver from the Role-Based Entitlements the following message is displayed:

Warning: The dynamic membership criteria of the Entitlement Policy '<Entitlement Policy.context>' refers to attributes that are not in the server's replication filter.

Multiple drivers can be displayed in this warning message. This is normally just a warning, if there are no other errors, the driver will normally start correctly after displaying it.
The warning will not be displayed when attempting to start the driver from the Identity Manager Overview page.

The Role-Based Entitlements task is performing an extra sanity check when the driver is started. If the searches that need to be performed by the Role Based Entitlement policies are to be done on a filtered replica, this task checks that the necessary attributes to perform each of the searches are present in these filtered replicas.

One of the confusing parts of this message is the reference to a "filter". This is the server specific filter that defines which attributes will be stored in the filtered replicas present on the server. It is not the filter of an IDM driver.

To address this warning, verify the search criteria of each of the Entitlement policies presented in the message and make sure that the attributes being used to search are present in the Filtered Replica filter for the corresponding classes.

In the particular case that this was experienced, the search specified a criteria of (Object Class=User) but the Object Class attribute was not explicitly set in the filter. Even though it wasn't set in the filter, the attribute was still present in the filtered replica, so there was no actual impact on performance when doing the searches.