Skip to content

Overview of Access

Managing and securing access is key to governing identities in the cloud. IdentityNow governs the following types of access:


Entitlements represent access rights on sources. Basic entitlement information can be aggregated with accounts, but performing regular entitlement-specific aggregations allows you to aggregate additional details about entitlements, as well as entitlements that don't belong to any users.

Nearly anywhere entitlements are visible, you can select them to find more information about them. In addition, you can view the following information about entitlements from select sources:

  • Cloud Access Details - If your site uses the Cloud Access Management Service you can see cloud details about some of your entitlements. To mark a source as Cloud Enabled, access the Update Schema API and set the configuration.cloudGoverned attribute to true. After this, entitlements from these sources might display a View Details button. Select this button to see whether this entitlement grants any cloud access, and details about that access.
  • Permissions - Permissions represent individual units of read/write/admin access to a system. If you have any direct or indirect permissions on your supported sources, they can be aggregated into IdentityNow. Direct permissions are aggregated as entitlements, and indirect permissions appear in the attributes of an entitlement.
  • Relationships - View the parent and child relationships each entitlement has.
  • Type - Some sources support multiple types of entitlements, each with a different attribute schema. You can view the type of entitlement.

You can see these details about entitlements everywhere entitlements are displayed in your site.


  • Not all sources support entitlement types, permissions, or relationships. See the source's connector documentation to find out whether it supports those attributes.
  • Newly created sources of supported types can aggregate entitlement types and permissions automatically. To configure an existing source to support this functionality, update the entitlement schema associated with the source using the updateSchema API.
  • If an entitlement is aggregated as part of an account aggregation, but IdentityNow doesn't detect it in subsequent entitlement aggregations, the entitlement will be deleted from your site.

Entitlements are used in many IdentityNow features, including:

  • Certifications: Entitlements can be revoked from an identity that doesn't need them anymore.
  • Roles: Role membership criteria can grant roles to identities based on whether they have an entitlement.

One of the most important functions of an entitlement is its use in access profiles.

Access Profiles

Access profiles are bundles of entitlements, representing a specific set of access from a source. They're the most important unit of access in IdentityNow, and they're used in many features, including:

  • Provisioning: Using the Provisioning service, lifecycle states and roles both grant access to users in the form of access profiles.
  • Certifications: Access profiles can be approved or revoked in certification campaigns, just like entitlements.
  • Access Requests: Assigning access profiles to apps allows your users to request access to an app. If the request is approved, the app and the access profile associated with it are granted to the user.