Managing Entitlements

Entitlements are the access rights an account has on a source. They're a key part of identity governance and an important way of quantifying access in IdentityNow. They can be:

• Configured for direct access requests.
• Grouped with related entitlements in access profiles.
• Added directly to roles.
• Reviewed and managed in certifications.

Refer to Loading Entitlements for information on collecting entitlement data from sources.

You can work with all of your organization's entitlements in one place on the Entitlements page by going to Admin > Access Model > Entitlements.

You can also work with entitlements on sources.

Viewing Entitlements

Go to Admin > Access Model > Entitlements to see a list of the entitlements in your organization. The table columns include important information for each entitlement such as:

• Source
• Owner
• Whether the entitlement is requestable or privileged
• How many access profiles include the entitlement
• How many identities have the entitlement assigned to them

Use the Search field to look for a specific entitlement or select the Filter icon to refine the list of entitlements by specific attributes.

You can select an entitlement to view additional details about it, including:

• Cloud Access Details - If your site licenses a SailPoint cloud governance solution, you can view cloud access data related to entitlements on a source with cloud access. You can mark entitlements as Cloud Enabled by creating or editing cloud-enabled entitlement types.

• Permissions - Permissions represent individual units of read/write/admin access to a system. If you have direct or indirect permissions on your supported sources, they can be aggregated into IdentityNow. Direct permissions are aggregated as entitlements, and indirect permissions appear in the attributes of an entitlement.

  You can also view permissions per source. The Permissions column displays Yes/No to indicate whether the entitlement includes permissions.

  Note

  You cannot modify a permission within IdentityNow.

• Type - Some sources support multiple types of entitlements, each with a different attribute schema.

  Notes

  • Not all sources support entitlement types or permissions. Refer to the source's connector documentation to find out whether it supports those attributes.

  • Newly created sources of supported types can aggregate entitlement types and permissions automatically. To configure an existing source to support this functionality, update the entitlement schema associated with the source using the Update Source Schema (Partial) API.

Depending on the entitlement, the following information may also display on tabs:

• Access Profiles - Lists the access profiles that include the entitlement.

• Identities - Lists the identities that have the entitlement assigned and provides the ability to revoke the entitlement for an identity.

• Roles - Lists the roles that include the entitlement.

• Parent and Child Entitlements - View the parent and child relationships each entitlement has. For more information, refer to Representing Nested Entitlements.

Working with Entitlements

You can manage, edit, and configure access requests for entitlements across sources from the Entitlements page by going to Admin > Access Model > Entitlements.

GenAI Entitlement Descriptions

SailPoint leverages GenAI to generate descriptions for your organization’s entitlements. Admins can select specific entitlements and generate descriptions for them.

Note

Only available for customers in AWS regions where the AWS Bedrock LLM that SailPoint employs is supported.

Generating Entitlement Descriptions

To generate descriptions:

1. Select the Actions icon > Generate descriptions for an individual entitlement, or select the checkboxes for multiple entitlements and then Actions > Generate descriptions.

2. Progress is displayed in the Generating Descriptions bar at the top of the GenAI Entitlement Descriptions page.

3. Once completed, newly generated entitlement descriptions are listed.

Viewing Generated Entitlement Descriptions

When navigating to the Entitlements page, a banner displays at the top of the page with a link to view GenAI entitlement descriptions that require review and approval. Select View Descriptions to view generated descriptions and their status.

Reviewing and Approving GenAI Entitlement Descriptions

A generated entitlement description must be approved before it can be updated in the entitlement. On the GenAI Entitlement Descriptions page, select Approve to update the description.

To make changes to the generated description:

1. Select the Actions icon > Edit.

2. Make edits to the generated description.

3. Select Approve.

If the entitlement description should be approved by someone else in the organization, you can send it to another reviewer as follows:

1. Select the Actions icon > Send to Reviewer.

2. Select an identity to review and approve the entitlement description.

3. Select Send.

The entitlement description shows up in the reviewer’s Approvals page.

Bulk Entitlement Updates

You can perform the following actions on multiple entitlements at once:

• Update entitlement owner
• Update requestable status
• Update privileged status

To update multiple entitlements:

1. Go to Admin > Access Model > Entitlements.

2. Select the checkboxes for the entitlements you want to update. Once you select more than one entitlement, the Actions button appears.

3. Select the Actions button.

4. From the dropdown menu, select the update you want to make for the selected entitlements.

5. Make your updates in the Update panel, and select Update.

Individual Entitlement Updates

You can perform the following actions on individual entitlements:

• Edit entitlement details
• Update entitlement status
• Revoke an entitlement from an identity

Editing Entitlement Details

To edit details for an entitlement:

1. Go to Admin > Access Model > Entitlements and find the entitlement you want to update.

   Tip

   To search for a specific entitlement, place the search term in "".

2. Select the Actions icon > Edit for the entitlement.

3. In the Configuration panel, update the entitlement’s display name, description, or owner. Select Save to save your changes.

   Best Practice

   Ensure the entitlement’s display name and description are easy to understand as the entitlement may appear in access requests and certifications. This will improve the accuracy, quality, and speed of requests and review decisions.

   Note

   Changes to the display name and description are not sent to the source.

4. In the Access Request panel, set your access request configurations and select Save to save your changes.

Your changes will take effect immediately but may take a moment to display on the Entitlement Management page.

Updating Entitlement Status

To update the privileged or requestable status for an entitlement:

1. Select the Actions icon for the entitlement you want to update.
2. Select the status update you want to make from the dropdown menu.

Your changes will take effect immediately but may take a moment to display on the Entitlement Management page.

Revoking Entitlements

To revoke an entitlement for an identity:

1. On the Entitlements page, select the entitlement you want to revoke.
2. Select the Identities tab.
3. Select Revoke for the identity you want to remove the entitlement from.
4. Enter a comment about the revocation.
5. Select Revoke. A success message appears confirming your request.

Viewing Entitlements with Critical Data

If your organization has SailPoint Data Access Security, you can view the classifications, policies, and data categories for the critical data that an entitlement grants access to.

1. Go to Admin > Access Model > Entitlements.
2. Find an entitlement with the critical data access flag .
3. Select Actions > View Details.
4. Select the Data Access tab to view the data’s classifications, policies, and categories.

For more information about critical data, refer to the Data Access Security documentation.

Working with Entitlements on Sources

Some information about entitlements can be modified on its source. This includes marking entitlements as privileged, bulk updating attributes like display names and descriptions, and assigning entitlement owners.

Marking Privileged Entitlements on a Source

You can mark an entitlement as privileged to draw attention to it during certification campaigns. This flag appears everywhere the entitlement is displayed, including search and certifications.

Note

Any access profiles that contain a privileged entitlement are also marked as privileged.

To mark an entitlement privileged:

1. Go to Admin > Connections > Sources, and select the source that contains the entitlements you want to edit.

2. In the Entitlements tab, select the checkbox next to the entitlements you want to mark as privileged.

3. Select the Actions dropdown menu and select Mark as Privileged.

   

Performing Bulk Entitlement Updates on a Source

Entitlement aggregation can read in display names and descriptions from the source. If these are missing or insufficient, you can change those values through a manual bulk edit.

1. Go to Admin > Connections > Sources and select the source you need to edit.
2. On the Entitlements tab, use the download CSV button to download a comma separated values (CSV) list of the entitlements to your computer.
3. Edit the file to fix any incorrect or incomplete entitlement data.
4. Use the upload CSV button to upload your changes into IdentityNow.

Notes

• Subsequent aggregations can replace blank display names or descriptions but will not overwrite existing values. This ensures that your manual edits do not get overwritten.
• Entitlement descriptions can be up to 2000 characters. An error will occur if you attempt to upload a file containing descriptions that exceed that limit.

Assigning Entitlement Owners on a Source

You can assign an entitlement owner who can be configured to review access requests for entitlements.

1. Go to Admin > Connections > Sources.
2. Select View for the source the entitlement is on.
3. Select the Entitlements tab.
4. Select the entitlement you want to assign an owner.
5. Select an identity from the Owner dropdown list.
6. Select X to close the window.

Tip

An entitlement owner can also be assigned by submitting an API call with the Patch an entitlement endpoint.

Representing Nested Entitlements

IdentityNow supports hierarchical relationships between entitlements for source types where it applies. To configure parent and child relationships between entitlements in a .csv file, use the hierarchyAttribute of the Update Source Schema API.

Ways to Revoke Entitlements

You can revoke entitlements in the following ways:

• Using the Entitlements page
• Creating certifications
• Submitting an API call with the Submit Access Request endpoint

Note

You can only submit revoke requests for one entitlement at a time through the Submit Access Request endpoint.

Deleting Entitlements

Entitlements can't be deleted directly in IdentityNow. To remove an entitlement from IdentityNow, delete it from the source itself and run an entitlement aggregation.

Account aggregations never delete entitlements from IdentityNow, including source entitlements created solely through account aggregation. This is because an entitlement could still exist even if no accounts currently hold it.

Troubleshooting Entitlement Issues

The following list describes common entitlement issues their solutions:

Entitlement names and descriptions are not aggregating from the source system.

Perform an entitlement aggregation for your source to pull in the display names and descriptions for all entitlements.

This will only replace values that have not been updated manually in IdentityNow. This is to protect and preserve any updates you make through the Entitlement Administration page, the IdentityNow API, or by using the CSV download/upload option. Once a value has been updated manually, an aggregation will not replace it.

If the aggregation doesn't update the entitlement description, the following may have occurred:

• The entitlement description may have been manually updated in IdentityNow. You can check whether the description has been manually updated by using the Get an entitlement endpoint. The manually_updated_fields property should be marked as false, meaning this property has not been manually updated since the first aggregation or on subsequent aggregations. You can override the value for this property through the Patch an entitlement endpoint.

• The description isn't mapped correctly in the source schema. To view your current mapping, submit an API call using the Lists the Schemas that exist on the specified Source in IdentityNow. If the mapping is incorrect, you can submit an API call using the Update Source Schema (Partial) endpoint to alter the group schema’s description attribute.

  Caution

  This endpoint allows you to change your schema definitions, which can change the data SailPoint stores for the source’s accounts and entitlements.

The wrong attribute has been used as the entitlement's display name.

Your entitlement schema defines which attribute is used as the display name. Use the Update Schema API to modify the display attribute designation.

If the entitlement schema for the source is editable in the user interface, you can also change it there:

1. Go to Admin > Connections > Sources and select the source you want to edit.
2. Select the Import Data tab and select Entitlement Types.
3. Change the attribute designated as the Entitlement Name to the desired display attribute.
4. Run an entitlement aggregation.