Managing Entitlements

Entitlements are the access rights an account has on a source. They're a key part of identity governance and an important way of quantifying access in IdentityNow. They can be:

• Configured for direct access requests.
• Grouped with related entitlements in access profiles.
• Reviewed and managed in certifications.

Refer to Loading Entitlements for information on collecting entitlement data from sources.

You can work with all of your organization's entitlements in one place on the Entitlements page by going to Admin > Access > Entitlements.

You can also work with entitlements on sources.

Exploring Entitlements

Go to Admin > Access > Entitlements to see a list of the entitlements in your organization. The table columns include important information for each entitlement such as:

• Source
• Owner
• Whether the entitlement is requestable or privileged
• How many access profiles include the entitlement
• How many identities have the entitlement assigned to them

Use the Search field to look for a specific entitlement or select the Filter icon to refine the list of entitlements by specific attributes.

You can select an entitlement to see the following information on tabs:

• Details - Displays details and additional attributes.

• Access Profiles - Lists the access profiles that include the entitlement.

• Identities - Lists the identities that have the entitlement assigned and provides the ability to revoke the entitlement for an identity.

Working with Entitlements

You can manage, edit, and configure access requests for entitlements across sources from the Entitlements page by going to Admin > Access > Entitlements.

Bulk Entitlement Updates

You can perform the following actions on multiple entitlements at once:

• Update entitlement owner
• Update requestable status
• Update privileged status

To update multiple entitlements:

1. Go to Admin > Access > Entitlements.

2. Select the checkboxes for the entitlements you want to update. Once you select more than one entitlement, the Actions button appears.

3. Select the Actions button.

4. From the dropdown menu, select the update you want to make for the selected entitlements.

5. Make your updates in the Update panel, and select Update.

Individual Entitlement Updates

You can perform the following actions on individual entitlements:

• Edit entitlement details
• Update entitlement status
• Revoke an entitlement from an identity

Editing Entitlement Details

To edit details for an entitlement:

1. Go to Admin > Access > Entitlements and find the entitlement you want to update.

   Tip

   To search for a specific entitlement, place the search term in "".

2. Select the Actions icon > Edit for the entitlement.

3. In the Configuration panel, update the entitlement’s display name, description, or owner. Select Save to save your changes.

   Best Practice

   Ensure the entitlement’s display name and description are easy to understand as the entitlement may appear in access requests and certifications. This will improve the accuracy, quality, and speed of requests and review decisions.

   Note

   Changes to the display name and description are not sent to the source.

4. In the Access Request panel, set your access request configurations and select Save to save your changes.

Your changes will take effect immediately but may take a moment to display on the Entitlement Management page.

Updating Entitlement Status

To update the privileged or requestable status for an entitlement:

1. Select the Actions icon for the entitlement you want to update.
2. Select the status update you want to make from the dropdown menu.

Your changes will take effect immediately but may take a moment to display on the Entitlement Management page.

Revoking Entitlements

To revoke an entitlement for an identity:

1. On the Entitlements page, select the entitlement you want to revoke.
2. Select the Identities tab.
3. Select Revoke for the identity you want to remove the entitlement from.
4. Enter a comment about the revocation.
5. Select Revoke. A success message appears confirming your request.

Working with Entitlements on Sources

Some information about entitlements can be modified on its source. This includes marking entitlements as privileged, bulk updating attributes like display names and descriptions, and assigning entitlement owners.

Marking Privileged Entitlements on a Source

You can mark an entitlement as privileged to draw attention to it during certification campaigns. This flag appears everywhere the entitlement is displayed, including search and certifications.

Note

Any access profiles that contain a privileged entitlement are also marked as privileged.

To mark an entitlement privileged:

1. Go to Admin > Connections > Sources, and select the source that contains the entitlements you want to edit.

2. In the Entitlements tab, select the checkbox next to the entitlements you want to mark as privileged.

3. Select the Actions dropdown menu and select Mark as Privileged.

   

Performing Bulk Entitlement Updates on a Source

Entitlement aggregation can read in display names and descriptions from the source. If these are missing or insufficient, you can change those values through a manual bulk edit.

1. Go to Admin > Connections > Sources and select the source you need to edit.
2. On the Entitlements tab, use the download CSV button to download a comma separated values (CSV) list of the entitlements to your computer.
3. Edit the file to fix any incorrect or incomplete entitlement data.
4. Use the upload CSV button to upload your changes into IdentityNow.

Notes

• Subsequent aggregations can replace blank display names or descriptions but will not overwrite existing values. This ensures that your manual edits do not get overwritten.
• Entitlement descriptions can be up to 2000 characters. An error will occur if you attempt to upload a file containing descriptions that exceed that limit.

Assigning Entitlement Owners on a Source

You can assign an entitlement owner who can be configured to review access requests for entitlements.

1. Go to Admin > Connections > Sources.
2. Select View for the source the entitlement is on.
3. Select the Entitlements tab.
4. Select the entitlement you want to assign an owner.
5. Select an identity from the Owner dropdown list.
6. Select X to close the window.

Tip

An entitlement owner can also be assigned by submitting an API call with the Patch an entitlement endpoint.

Representing Nested Entitlements

IdentityNow supports hierarchical relationships between entitlements for source types where it applies. To configure parent and child relationships between entitlements in a .csv file, use the hierarchyAttribute of the Update Source Schema API.

Ways to Revoke Entitlements

You can revoke entitlements in the following ways:

• Using the Entitlements page
• Creating certifications
• Submitting an API call with the Submit Access Request endpoint

Note

You can only submit revoke requests for one entitlement at a time through the Submit Access Request endpoint.

Deleting Entitlements

Entitlements can't be deleted directly in IdentityNow. To remove an entitlement from IdentityNow, delete it from the source itself and run an entitlement aggregation.

Account aggregations never delete entitlements from IdentityNow, including source entitlements created solely through account aggregation. This is because an entitlement could still exist even if no accounts currently hold it.

Troubleshooting Entitlement Issues

The following list describes common entitlement issues their solutions:

Entitlement names and descriptions are not aggregating from the source system.

Perform an entitlement aggregation for your source to pull in the display names and descriptions for all entitlements.

This will only replace values that have not been updated manually in IdentityNow. This is to protect and preserve any updates you make through the Entitlement Administration page, the IdentityNow API, or by using the CSV download/upload option. Once a value has been updated manually, an aggregation will not replace it.

If the aggregation doesn't update the entitlement description, the following may have occurred:

• The entitlement description may have been manually updated in IdentityNow. You can check whether the description has been manually updated by using the Get an entitlement endpoint. The manually_updated_fields property should be marked as false, meaning this property has not been manually updated since the first aggregation or on subsequent aggregations. You can override the value for this property through the Patch an entitlement endpoint.

• The description isn't mapped correctly in the source schema. To view your current mapping, submit an API call using the Lists the Schemas that exist on the specified Source in IdentityNow. If the mapping is incorrect, you can submit an API call using the Update Source Schema (Partial) endpoint to alter the group schema’s description attribute.

  Caution

  This endpoint allows you to change your schema definitions, which can change the data SailPoint stores for the source’s accounts and entitlements.

The wrong attribute has been used as the entitlement's display name.

Your entitlement schema defines which attribute is used as the display name. Use the Update Schema API to modify the display attribute designation.

If the entitlement schema for the source is editable in the user interface, you can also change it there:

1. Go to Admin > Connections > Sources and select the source you want to edit.
2. Select the Import Data tab and select Entitlement Types.
3. Change the attribute designated as the Entitlement Name to the desired display attribute.
4. Run an entitlement aggregation.