Entitlements are the access rights an account has on a source. They're a key part of identity governance, and they feed into almost everything you do in IdentityNow.
Refer to Loading Entitlements for information on collecting entitlement data from sources.
Managing Entitlement Details
Some information about entitlements can be modified within IdentityNow, individually or through bulk operations. This includes marking entitlements as privileged and bulk updating attributes like display names and descriptions.
Marking Privileged Entitlements
You can mark an entitlement as privileged to draw attention to it during certification campaigns. This flag appears everywhere the entitlement is displayed, including search and certifications.
Any access profiles that contain a privileged entitlement are also marked as privileged.
To mark an entitlement privileged:
Go to Admin > Connections > Sources, and select the source that contains the entitlements you want to edit.
In the Entitlements tab, select the checkbox next to the entitlements you want to mark as privileged.
Select the Actions dropdown menu and select Mark as Privileged.
Performing Bulk Entitlement Updates
Entitlement aggregation can read in display names and descriptions from the source. If these are missing or insufficient, you can provide replacement values through a manual bulk edit.
- Go to Admin > Connections > Sources and select the source you need to edit.
- On the Entitlements tab, use the download CSV button to download a comma separated values (CSV) list of the entitlements to your computer.
- Edit the file to fix any incorrect or incomplete entitlement data.
- Use the upload CSV button to upload your changes into IdentityNow.
Subsequent aggregations can replace blank display name or descriptions but will not overwrite existing values. This ensures that your manual edits do not get overwritten.
Entitlements can't be deleted directly in IdentityNow. To delete an entitlement from IdentityNow, you must delete it from the source itself and then run an entitlement aggregation.
IdentityNow only deletes entitlements that were once aggregated in an entitlement aggregation and are no longer present in a subsequent entitlement aggregation.
Account aggregations never delete entitlements from IdentityNow. This is because an entitlement could still exist even if no accounts currently hold it. Even when a source's entitlements were created in IdentityNow through account aggregation, with no separate entitlement aggregation for that source, account aggregation will not delete entitlements.
Representing Nested Entitlements
IdentityNow supports hierarchical relationships between entitlements for source types where it applies. To configure parent/child relationships between entitlements in a CSV file, use the
hierarchyAttribute of the replaceSchema API.
Entitlements are visible per identity, per source, and across sources in IdentityNow.
To view an identity's entitlements:
- Go to Admin > Identities > Identity List and select the name of the identity you want to view.
- On the Accounts tab, select the source you want to view. The identity's entitlements from that source are displayed in the Entitlements tab at the bottom of the page.
To view a source's entitlements:
- Go to Admin > Connections > Sources and select the source you want to view.
- Go to the Entitlements tab for a complete list of all entitlements from that source.
To view entitlements across sources:
- Use Search to specify your entitlement selection criteria.
- Examine the results on the Entitlements tab.
Entitlements are an important way of quantifying access in IdentityNow. They can be:
- Configured for direct access requests.
- Grouped with related entitlements in access profiles.
- Reviewed and managed in certifications.
Problem: Entitlements are missing display names or descriptions.
Solution: Perform an entitlement aggregation for your source to pull in the display names and descriptions for all entitlements.
This will only replace null values. Once a value exists, aggregation will not replace it. This is to protect and preserve any updates you make through the CSV download/upload option.
Problem: The wrong attribute has been used as the entitlement's display name.
Solution: Your entitlement schema defines which attribute is used as the display name. Use the Update Schema API to modify the display attribute designation. If the entitlement schema for the source is editable in the user interface, you can also change it there:
- Go to Admin > Connections > Sources and select the source you want to edit.
- Select the Import Data tab and select Entitlement Types.
- Change the attribute designated as the Account Name to the desired display attribute.
- Run an entitlement aggregation.