PingOne Advanced Identity Cloud

Manage entitlements

Entitlements are specific permissions given to an account in an target application. Each entitlement correlates to a permission.

Identity Governance aggregates entitlements from onboarded target applications into a centralized repository called the entitlements catalog, providing a unified view of the entitlements.

The entitlement catalog gives you the ability to view the granular access (entitlements) users in Advanced Identity Cloud have for accounts in onboarded target applications.

When you view entitlements, you can do the following:

  • View and populate the entitlement glossary attributes you create for each entitlement.

  • Manage the entitlement owner.

  • View the entitlement properties in the target application and accounts associated with the entitlement.

Load entitlements into Advanced Identity Cloud

Entitlements are pulled into Advanced Identity Cloud when you onboard a target application. Entitlements rely on an object to be configured when you onboard a target application. This object, known as a non-account object (NAO), is the object that represents entitlements (permissions) in the target application.

In many cases, there is no action on your part to set up a NAO as many application connectors have predefined NAOs.

There are scripted applications that require you to manually set the NAO which include:

  • Scripted REST

  • Scripted Groovy

  • Scripted Table

  • PowerShell

You must populate the Display Name Attribute on the target application NAO in the Details tab.

This allows each entitlement pulled into Advanced Identity Cloud to display with a human-readable name:

  1. From the Advanced Identity Cloud admin UI, go to Applications > Select Application.

  2. Select the NAO that represents the entitlements in the target application.

  3. Go to the Details tab.

  4. Populate the Display Name Attribute with an attribute from the target application.

The following video shows an example:

For more information on NAOs when provisioning an target application, refer to synchronize an identity.

View entitlements

When you load entitlements into Advanced Identity Cloud, they appear in the left navigation pane under the Entitlements tab. All onboarded target applications that have entitlements appear on this screen.

There are three tabs that appear on the entitlements screen:

  • Details — Shows the entitlement owner of the entitlement as well as the entitlement glossary attributes.

  • Object Properties — Displays the entitlement data as it is in the target application.

  • Users — Shows the Advanced Identity Cloud user and the corresponding user entity in the target application.

Modify entitlement owner

Entitlement owners are individuals responsible for the entitlements in Advanced Identity Cloud.

You can select the entitlement owners to be the certifiers (reviewers) of the certification when you define Who will Certify in an entitlement assignment certification.

To modify an entitlement owner:

  1. Select Entitlements from the left navigation pane.

  2. Select the desired entitlement.

  3. On the Details tab, click the Entitlement Owner field.

  4. Select the user to be the entitlement owner.

  5. Click Save.

Grant entitlements to a user

Identity Governance provides capabilities to grant entitlements to a user.

Add an entitlement to a user

Advanced Identity Cloud allows you to add entitlements to a user directly, via a request, or via synchronization with the target application.

To add an entitlement to a user directly:

  1. In the Advanced Identity Cloud admin UI, go to Identities > Manage.

  2. On the Manage Identities page, click realm-name - Users, and select an existing user.

  3. On the selected user’s page, click Entitlements > Add Entitlements.

  4. On the Grant Entitlements modal, select which application you would like to grant permissions for this user to access.

  5. On the Choose Entitlements modal, select one or more entitlements to grant to the user, and then click Grant Entitlements. You will see an "Entitlements request successfully submitted" message. The new entitlement appears on the user’s entitlements page.

View a user’s entitlements

  1. In the Advanced Identity Cloud admin UI, go to Identities > Manage.

  2. On the Manage Identities page, click realm-name - Users, and select an existing user.

  3. On the selected user’s page, click Entitlements. Each row shows the entitlement name in bold text with the associated application listed below it.

  4. Enter an entitlement in the Search box, or click an entitlement from the selected list.

View user entitlement details

  1. In the Advanced Identity Cloud admin UI, go to Identities > Manage.

  2. On the Manage Identities page, click realm-name - Users, and select an existing user.

  3. On the selected user’s page, click Entitlements. Each row shows the entitlement name in bold text with the associated application listed below it.

  4. Enter an entitlement in the Search box, or click an entitlement from the selected list.

  5. Next, click the ellipsis () for an entitlement, and then click View Details. The modal opens to the Entitlement Details.

    Field Description

    Application

    Displays the application name and logo.

    Owner

    Displays the owner of the application.

    <glossary attributes>

    Displays various glossary attributes and their values. For example:

    • Requestable. Displays the values of the requestable flag: true or false.

    • Description. Displays the description of the attribute.

    • New Entitlement Glossary Attribute. Displays the value of the entitlement glossary attribute.

    <Technical details>

    Displays technical details, such as object type properties and their values. The details differ with each application.

Revoke a user’s entitlement

Advanced Identity Cloud admin UI allows users to revoke non-role-based entitlements from the user’s entitlements list page. If the entitlement is role-based, users cannot revoke the entitlement.

  1. In the Advanced Identity Cloud admin UI, go to Identities > Manage.

  2. On the Manage Identities page, click realm-name - Users, and select an existing user.

  3. On the selected user’s page, click Entitlements. Each row shows the entitlement name in bold text with the associated application listed below it.

  4. Enter an entitlement in the Search box, or click an entitlement from the selected list.

  5. Next, click the ellipsis () for an entitlement, and then click Revoke. The Revoke Request modal appears.

  6. On the Revoke Request modal, enter the following information:

    • Justification. Enter a justification for the entitlement revoke request.

    • Priority. Select a priority for the revocation.

    • Expiry Date. Enter an expiry date for the revoke request.

  7. Click Submit Request. The Request successfully submitted message appears.

Manage entitlements in a role

Identity Governance provides capabilities to manage entitlements in a role.

View entitlements in a role

  1. In the Advanced Identity Cloud admin UI, go to Identities > Manage.

  2. On the Manage Identities page, click realm-name - Roles.

  3. Enter a role in the Search box, or click a role from the selected list.

  4. On the selected role page, click Entitlements. Each row shows the entitlement name in bold text with the associated application listed below it.

View entitlement details in a role

  1. In the Advanced Identity Cloud admin UI, go to Identities > Manage.

  2. On the Manage Identities page, click realm-name - Roles.

  3. Enter a role in the Search box, or click a role from the selected list.

  4. On the selected role page, click Entitlements. Each row shows the entitlement name in bold text with the associated application listed below it.

  5. Next, click the ellipsis () for an entitlement, and then click View Details. The modal opens to the Entitlement Details.

    Field Description

    Application

    Displays the application name and logo.

    Owner

    Displays the owner of the application.

    <glossary attributes>

    Displays various glossary attributes and their values. For example:

    • Requestable. Displays the values of the requestable flag: true or false.

    • Description. Displays the description of the entitlement attribute.

    • New Entitlement Glossary Attribute. Displays the value of the entitlement glossary attribute.

    <Technical details>

    Displays technical details, such as object type properties and their values. The details differ with each application.

Revoke an entitlement in a role

  1. In the Advanced Identity Cloud admin UI, go to Identities > Manage.

  2. On the Manage Identities page, click realm-name - Roles.

  3. Enter a role in the Search box, or click a role from the selected list.

  4. On the selected role page, click Entitlements. Each row shows the entitlement name in bold text with the associated application listed below it.

  5. Next, click the ellipsis () for an entitlement, and then click Revoke. The Revoke Entitlement? modal appears.

  6. Click Revoke. The Entitlement was revoked message appears.

Enhance entitlements with glossary attributes

When you create entitlement glossary attributes, they appear as metadata you can populate for each entitlement.

To enhance entitlements:

  1. From the Advanced Identity Cloud admin UI, go to Governance > Entitlements.

  2. Select the desired entitlement.

  3. On the Details tab, populate the glossary attributes you created.

  4. Click Save.

Example of when to use the governance glossary

There are many scenarios in which using identity glossary attributes can provide useful business logic to make decisions.

Oftentimes, organizations have specific attributes to track users' entitlements from applications.

An example could be that you want to attach a risk score to each entitlement pulled into Advanced Identity Cloud. This could be to determine the sensitivity of the entitlement (privilege) in the target application.

Steps:

  1. From the Advanced Identity Cloud admin UI, click Glossary.

  2. Click Entitlement > + Entitlement Glossary Item.

  3. Enter the following values:

    1. Name - riskScore

    2. Display Name - Risk score

    3. Type - Number

      For more information, refer to create entitlement attribute.

  4. Once you create the entitlement glossary attribute, it displays as metadata for each entitlement. To view this metadata in an entitlement, go to Entitlements > Select entitlement to view the attribute under the Details tab.

  5. Assign a risk score of 80 using the newly created Risk score attribute. The higher the risk score for an entitlement, the more sensitive operations that entitlement allows.

Now that you have created an entitlement glossary attribute and enriched existing entitlements with the Risk score attribute, you can leverage this new business-relevant data.

For example, you can create an entitlement assignment certification template that filters the template to show entitlements to review that have a Risk score of 75 or higher. This allows you to certify highly-sensitive entitlements.

This is just one scenario in which the identity glossary can be used. Create identity glossary attributes for applications, entitlements, or roles to suit your business cases.

Copyright © 2010-2024 ForgeRock, all rights reserved.