Manage entitlements
In Identity Governance, an entitlement is a specific access right assigned to an account within a target application and corresponds to a particular permission. It defines what a user can perform, such as viewing, modifying, or managing entitlements once they have access to the resource.
Identity Governance lets you take action on entitlements, such as:
-
Discover and onboard entitlements
-
Grant entitlements including:
-
Using access requests
-
Using provisioning roles
-
Using direct assignment by administrators
-
-
Certify users who have been granted entitlements
-
Perform segregation of duties (SoD) checks to identity entitlement assignments that violate compliance policies.
-
Manage the entitlements lifecycles using Governance Workflows
Entitlements catalog
Identity Governance aggregates entitlements from onboarded target applications into a centralized repository called the entitlements catalog, providing a unified view of the entitlements.
The entitlement catalog gives you the ability:
Prepare the application for entitlements
Before your end users can work entitlements, tenant or governance administrators must prepare the application(s) for entitlements. Key tasks are:
|
For more details on provisioning applications, learn more in Provision an application. |
Load entitlements into Advanced Identity Cloud
When you onboard a target application into Advanced Identity Cloud, it also pulls in the application’s entitlements. Each application’s account schema includes one or more attributes that define the account’s privileges assigned to accounts within the target system. These attributes depend on other objects in the application, known as non-account objects (NAO), which serve as the source for the account’s allowed entitlements.
Any changes to entitlements are later brought into the system through reconciliation, the process of comparing and synchronizing identity data between the IGA system and external target systems.
|
You must run entitlement reconciliations at regular intervals depending upon how frequently new entitlements are added to or deleted from the target application. |
Validate the entitlement configuration
After you have pulled in the entitlements into Advanced Identity Cloud, you see that most applications in the Application Catalog have predefined entitlement configurations. You must first validate the application configuration by:
-
Verifying that the account attribute has been correctly tagged as an entitlement based on your requirements.
-
Verify the account attribute is associated with the correct non-account object (NAO).
To validate the entitlement configuration and verify the account attribute:
-
In the Advanced Identity Cloud admin console, go to Applications > Browse App Catalog.
-
Select an application and click the Provisioning tab.
-
On the Details page, make sure you are viewing the
Userobject type. -
On the
Userobject page, click Properties. -
Select the account attribute containing the entitlements to be assigned to the account.
For most applications in the Application Catalog, the attribute is identified by a star.
-
Click > Edit to view or edit the property.
-
Verify that the application object type attribute has the correct non-account object (NAO) specified and that the entitlement property is checked. For example, the following image dispays the
servicePlanIdsproperty:
There are some applications that require you to manually set the NAO including:
-
Scripted REST
-
Scripted Groovy
-
Scripted Table
-
PowerShell
-
Multi-file CSV
-
SCIM
Learn more in Manually set non-account objects for an account object.
-
-
Click Data to preview the information, providing a real-time view of the target system data. You can scroll right to view the whole dataset.
Configure user-friendly display names
When you onboard entitlements into Advanced Identity Cloud, they can have highly cryptic or technical names that make its purpose difficult to ascertain. To ensure user-friendly names appear when displaying accounts or entitlements, configure the application object types accordingly.
-
In the Advanced Identity Cloud admin console, go to Applications > Browse App Catalog.
-
Select an application and click the Provisioning tab.
-
On the Details page, make sure you are viewing the
Userobject type. -
In the Display Name Attribute field, select a single-valued string attribute from the target application.
-
Click Save.
-
Repeat steps 1–5 for the other object types.
The following video shows an example:
Configuring the entitlement glossary
Administrators can enhance entitlements by adding meaningful business context, helping users understand their purpose and supporting Identity Governance in decision-making. This context is managed through the Entitlement Glossary, where administrators can add custom attributes in addition to the default ones.
Learn more in Managing the Governance Glossary.
Loading entitlements on-demand
Before running a reconciliation, make sure you have configured it to your requirements.
-
In the Advanced Identity Cloud admin console, go to Applications > Browse App Catalog.
-
Select an application and click the Provisioning tab.
-
On the Details page, make sure you are viewing the
Userobject type. -
Click Reconciliation > Reconcile.
-
Click Reconcile Now if you want to onboard the entitlements immediately.
The results of your reconciliation are displayed on the page. You can see the successful and unsuccessful matches.
View entitlements
When you load entitlements into Advanced Identity Cloud, they appear in the left navigation pane under the Governance > Entitlements tab.
There are three tabs that appear on the entitlements screen:
-
Details — Shows the entitlement owner of the entitlement as well as the entitlement glossary attributes.
-
Object Properties — Displays the entitlement data as it is in the target application.
-
Users — Shows the Advanced Identity Cloud user and the corresponding user entity in the target application.
