Skip to content

Entitlement Catalog

Note

The terms "account group" and "application object" are use interchangeably in this document but have the same meaning. Some applications can have multiple application objects. An account group can be the name of one of those objects.

Use the Entitlement Catalog page to view and manage all of your managed attributes including entitlements, account groups / application objects, and permissions.

Managed attributes can be specific to one application or shared among multiple applications of the same type. Managed attributes can also be defined in multiple languages.

A managed attribute is the value of an account attribute that has been promoted to a first-class object in the IdentityIQ database so the system can track other data related to these attributes, such as a description or an owner. Any attribute can become managed, but the most common attribute to be managed is one holding group memberships.

What Is Included in the Entitlement Catalog

The Entitlement Catalog lists the managed attributed in your IdentityIQ instance. A managed attribute is indicated by checking the Managed box for the attribute, in the account schema on the Application Definition page.

As accounts are aggregated, IdentityIQ detects the values for each managed attribute and promotes these to ManagedAttribute objects. For example, if Location is managed, and you aggregate three accounts with locations Austin, Dallas, and Houston, there will be three ManagedAttribute objects for those values. If the attribute is multi-valued, such as groups or memberOf, IdentityIQ creates one ManagedAttribute for each value in the list.

The expectation is that most of the attributes that are managed are entitlement attributes, which usually means a group attribute. Because of this, the language in the product is oriented around the word entitlement. For example, we refer to "managing entitlements" and the "Entitlement Catalog." It is possible, however, to have managed attributes that are not entitlements, but it is unusual.

Managed attributes that are also groups have additional features. If the connector supports group aggregation, IdentityIQ can import the definitions of those groups and store them in the ManagedAttribute object. Managed attributes for groups have editable tabs that contain the definition of the group that can, optionally, be used for provisioning. If a groups managed attribute is available for provisioning, any change made on the Object Properties tab is sent to a connector to modify the target application.

Note

The additional Object Properties tab is only available if Lifecycle Manager is installed and the Enable Account Group Management options was selected during Lifecycle Manager configuration. See the Lifecycle Manager Configure Tab(LINK IN DOC) for more information.

Requestable Attributes

When Lifecycle Manager is enabled, items in the Entitlement Catalog can be flagged as Requestable by checking the Requestable option in the item's standard properties. The Entitlement Catalog shows a check icon in this Requestable column for all attributes that can be requested. See Standard Properties Tab(LINK IN DOC).

Adding or Editing Entitlement Parameters

Note

You can only add new managed attributes of type Entitlement.

Open the Edit page by clicking Add New Entitlement or clicking on an existing managed attribute from the list.

The Edit page enables you to change properties on a managed attribute. The title and content of this page varies depending on the type of attribute being edited.

The Save button at the bottom of the page launches a business process that persists the changes to the managed attribute. If necessary, the business process launches provisioning.

By default, changes to entitlements must be approved. See Approvals for Changes to Entitlements(LINK IN DOC).

Approvals for Changes to Entitlements

Beginning with version 8.2 of IdentityIQ, the default behavior is to require an approval when an entitlement is changed. The approval path is managed by the Entitlement Update business process.

This business process identifies an approver, which by default is the owner of the entitlement. If no owner has been specified for the entitlement, the approval is routed to the fallback approver, which by default is the owner of the application that is the source for the entitlement.

Disabling Approvals for Changes to Entitlements

If you don't want to require approvals for changes to entitlement, you can edit the business process to disable approvals:

  1. Click Setup > Business Processes.

  2. Select the Entitlement Update business process.

  3. Click the Process Variables tab.

  4. Edit the approver variable to set the Initial Value to String. Make sure that the Value field is blank.

  5. Save the change. Note that if you reopen the approver value to verify your changes, no type of Initial Value will show as selected.

  6. Edit the fallbackApprover variable in the same manner, changing Initial Value to String and making sure the Value field is blank.

  7. Save your change.

For more information on IdentityIQ business processes, see Business Processes(LINK IN DOC).

Deleting a Managed Entitlement

To delete an entitlement, right-click on the entitlement and choose Delete, then confirm the deletion.

Deleting a managed entitlement does not directly remove the entitlement from the product. Instead, a group update business process is launched as a task.

You can track the progress of this task on the Setup > Tasks > Task Results tab.

Importing and Exporting Managed Attributes

Use the Import and Export buttons to import new managed attributes from a CSV file, or to export existing managed attributes to a CSV file. Each option opens a dialog with instruction on how to continue.

Defining Import Data

The import data file must be in a CSV format, with a comment line at the top of the file to define the contents. The comment line should contain set of comma-separated of values, to define the properties corresponding to the values on subsequent lines. The imported Entitlements' properties will be set accordingly.

Here is an example of a comment line defining the properties of a CSV file:

#value, displayName, owner, application

The properties on this line can be any of the following:

  • application

  • attribute

  • value

  • displayName

  • requestable

  • owner

  • classifications

  • iiqElevatedAccess

Specifying Default Values When Importing Entitlements

You can specify default values for the imported Entitilements' properties by including an assignment statement in the comment line that defines the file's contents.

Here is an example of an assignment statement in the comment line:

#application=Active_Directory

Special Considerations for Importing Descriptions

When importing attribute descriptions, you must include the description's locale(s) in the comment line; use locale(s) instead of the description property to ensure that descriptions are imported correctly.

Here is an example of a comment line that includes US English (en_US) and Canadian French (fr_CA) descriptions:

#type, attribute, en_US, fr_CA

You can also get an example of this formatting by exporting existing data, and including languages in your export. .

To export a file that includes an example of the description format:

  1. Go to the Entitlement Catalog page, Applications > Entitlement Catalog.

  2. Select Export.

  3. Choose either All Applications, or uncheck the All Applications box and choose one or more specific applications from the dropdown list.

  4. For Export Type, choose Descriptions.

  5. Use the Choose description languages to export dropdown to choose the locale(s) you want to include in the export. The list shows all locales that have been enabled in your installation.

  6. Select Export.

Note

There might be a size limit set on the imported entitlement description during the configuration of IdentityIQ. If you run into issues, contact your administrator.

A message is displayed at the bottom of the browser window when the export is complete. From there, you can view or save the exported descriptions.

For more information on locales and enabling multi-language descriptions in IdentityIQ, see the IdentityIQ Configuration Miscellaneous section.