PingOne Advanced Identity Cloud

Manage Entitlement LCM

Entitlement lifecycle management (LCM) provides a type of delegated administration, allowing application owners, entitlement owners, and end users authorized with the proper scope permissions to manage entitlements within the applications available to them. By using Entitlement LCM, companies can keep entitlement attributes up to date, reducing the risk of outdated or inaccurate entitlements impacting decision-makings.

Entitlement LCM also enforces policies by requiring approval workflows before any entitlement changes are applied. This prevents users from granting excessive permissions without oversight and ensures access remains aligned with organizational policies.

Governance personas

By default, governance administrators, application owners, entitlement owners, and end users with scoped permissions can manage entitlements in the system. These users have the following permissions:

Action Admin Application
Owner		 Entitlement
Owner		 End user

View entitlement

Yes

Yes

Yes

If scoped

View users who have entitlement

Yes

Yes

Yes

If scoped

Create entitlement

Yes

Yes

No

If scoped

Modify entitlement

Yes

Yes

Yes

If scoped

Enable Entitlement LCM

Governance administrators must enable Entitlement LCM to activate the feature for their users.

The term Governance LCM is used interchangedly with Entitlement LCM in this section. Governance LCM handles entitlements only at this time but will be expanded to other objects, such as Users and Roles in the future.

  1. In the Advanced Identity Cloud admin console, go to Governance > Requests.

  2. On the Requests page, click the Settings tab.

  3. In the Governance LCM section, click Activate.

  4. In the Governance LCM modal, read what activating this feature entails, and click Next.

  5. In the Governance LCM modal, click Entitlement LCM, and then click Activate. The governance LCM is now active on your tenant.

    Enable governance LCM on the Requests page.

Configure authorization

Entitlement LCM enables administrators to delegate entitlement management to authorized users. Scope permissions have been enhanced to grant a specific subset of permissions for managing entitlements. The scope permissions are summarized as follows:

Permission Applies to Description

View Applications

Applications

Allows the user to view matching applications. This scope is implicit when Create Entitlements is selected.

Create Entitlements

Applications

Allows the user to create entitlements for the matching applications.

View Entitlements

Entitlements

Allows the user to view matching entitlements. This scope is implicit when Modify Entitlements or View Grants is selected.

Modify Entitlements

Entitlements

Allows the user to modify the matching entitlements.

View Grants

Entitlements

Allows the user to view the other users who are assigned the entitlement.

Ping Identity recommends that you always grant View Grants privileges so that users carrying out entitlement lifecycle management can see who has been assigned the entitlement.

Tips on scopes

Scopes provide the permissions to let end users to take action only on applications and entitlements to which they are permitted.

For example, when you assign a scope for an application with the Create Entitlements permission, the end user can create entitlements for the application in that scope. However, this doesn’t mean they can view entitlements. For that, they must have the View Entitlements permission.

The following rules apply to scope permission:

  • By default, scopes are disabled in Identity Governance. You can enable scopes using the config API. Learn more in identity-governance:administration/access-request-configure.adoc#enable-scopes.

  • If end users have scope permissions for view entitlements, they can view those entitlements regardless of the application permissions.

  • If end users have modify permissions, they can modify the entitlements you can see.

  • If end users have view grant permissions, they can view the users of the entitlements you can see.

Add scopes and assign to users

  1. Sign on to the Advanced Identity Cloud admin console as a tenant administrator.

  2. In the Advanced Identity Cloud admin console, go to Governance > Scopes.

  3. Click add New Scopes.

  4. On the New Scope page, enter the following in the Details section:

    1. Name: Enter the name for the scope.

    2. Description: Enter a description for the scope.

    3. Click Next.

      Scope details page displaying name and description

  5. On the Applies to page, define which users should be subject to this scope. Decide if you want to grant application or entitlement permissions to the end user.

    1. Select if the All or Any condition must be met.

    2. Select a property for this scoping rule. For example, select userName.

    3. Select an operator for the scoping rule. For example, select contains.

    4. Enter an entitlement.

    5. If you want to add another rule, click add and repeat the steps.

    6. Click Next.

      Scope `applies to` page defining the user to which the scope applies.

  6. On the Access page, enter the following depending if you are granting applications or entitlement permissions:

    • For application permissions:

      1. Select the Applications checkbox.

      2. Click All Applications or Applications matching a filter. Click Applications matching a filter.

      3. Select if All or Any condition must be met.

      4. Select a property for this scoping rule. For example, select name.

      5. Select an operator for the scoping rule. For example, select is.

      6. Enter an application.

      7. If you want to add another rule, click add and repeat the steps.

      8. Click Create Entitlements.

        The View Applications scope permission is also included.

      9. Click Save.

        The end user now has the permission to create new entitlements for the matching application.

        Scope access displaying the filters for the application.

    • For entitlement permissions:

      1. Select the Entitlements checkbox.

      2. If you click Applications matching a filter, click All Entitlements or Entitlements matching a filter.

      3. Select if the All or Any condition must be met.

      4. Select a property for this scoping rule. For example, select userName.

      5. Select an operator for the scoping rule. For example, select is.

      6. Enter a user.

      7. If you want to add another rule, click add and repeat the steps.

      8. Click Modify Entitlements.

        The View Entitlements scope permission is also included.

      9. Click View Grants to allow the end user to view who has the entitlement.

      10. Click Save.

        Scope access displaying the filters for the entitlement.

Configure entitlement lifecycle workflows

Identity Governance provides the out-of-the-box request types and workflows to enable authorized users to carry out Entitlement LCM tasks:

Request Type Workflow

createEntitlement

Create Entitlement

modifyEntitlement

Modify Entitlement

As with all other Identity Governance requests, the Entitlement LCM actions are defined and processed in request workflows that allow users to:

  • Create new entitlements

  • Provide source entitlement attribute values

  • Enrich the entitlement glossary

  • Modify existing entitlements.

Create a new entitlement

Before you create a new entitlement, make sure you have run the prerequisites in Prepare the application for entitlements.

  1. In the Advanced Identity Cloud end-user UI, sign on as a test user who has application permissions.

  2. Go to Administer > Entitlement. The application’s entitlements are accessible to the end user.

  3. On the Entitlements page, click add New Entitlement.

  4. In the New Entitlement modal:

    1. Click Application and click the application available to the test user. You should see only one available option.

    2. Click Object Type and select an object type for the new entitlement.

    3. Click Next.

  5. In the Entitlement Details modal:

    1. Enter or select the fields required for your entitlement. Fields can differ based on how you configured your glossary items. For example:

      • Description: Enter a general description of the entitlement.

      • Entitlement Owner: Type a user to add as an entitlement owner.

      • Entitlement Type: Enter the type of entitlement.

      • Parent Entitlement: Enter any parent entitlement if any.

      • Requestable: Click to make the entitlement requestable.

    2. Click Submit.

      The new entitlement appears in the list of entitlements specific to the application.

Modify entitlement details in an application

  1. In the Advanced Identity Cloud end-user UI, sign on as your test user who has application permissions.

  2. Go to Administer > Entitlements. The application’s entitlements are accessible to the end user.

  3. Click an entitlement.

  4. Modify any field including Entitlement Owner and click Save.

    A change request is entered in the system and must be approved by the user specified in the workflow. For example: the Modify Entitlement workflow specifies that the entitlement owner approves any entitlement change requests.

Delete entitlements

It isn’t recommended to delete entitlements from Identity Governance. You should delete the entitlements in the target application and run an entitlement onboarding using reconciliation so that the deleted entitlement(s) and their relationships to accounts and identities are correctly accounted for.

View entitlements in an application

  1. In the Advanced Identity Cloud end-user UI, sign on as your test application owner: veronica.achorn.

  2. Go to Administer > Entitlements. All entitlements specific to the selected application are displayed.

    View entitlements for application owners.

  3. From here, the end user can do:

    • View all entitlements specific to the application.

    • View the details, object properties, and users of a specific entitlement.

    • Create an entitlement.

    • Modify an entitlement.

Troubleshooting entitlements

Typical troubleshooting cases that can occur with entitlements are:

  • Entitlements aren’t being onboarded from the application.

  • Onboarded entitlements aren’t visible in the catalog.

  • Onboarded entitlements don’t have a display name.

  • Entitlements have been assigned to users but aren’t visible in the user’s access.

  • Duplicate entitlement assignments assigned to the user.