- 02 Dec 2024
- 6 Minutes to read
- Print
- DarkLight
- PDF
What are Entitlements?
- Updated on 02 Dec 2024
- 6 Minutes to read
- Print
- DarkLight
- PDF
An Entitlement is a specific function, policy, resource, or license that is granted by a Downstream Application. Entitlements can also be consolidated into Entitlement Groups. Entitlements are fundamental to Identity governance as they clearly define the actions that can be taken by users in an application. Entitlements enable an organization's ability to deploy Role-Based Access Control (RBAC), achieve Compliance, and progress toward Zero Trust. Entitlements are generated automatically from your Downstream Applications.
What generates an Entitlement
Entitlement data is sourced from your Downstream Application. After configuring a Downstream Application within Clarity and performing a sync, Clarity will load the relevant user and entitlement data provided by the application.
What an Entitlement does
Entitlements are specific functions, policies, resources, or licenses granted to Service Users by the Downstream Application. These Entitlements provide a Service User with their effective access to different Downstream Applications, at different security levels. Temporary and permanent Exceptions to entitlements can be created for an individual Service User.
How Entitlements work
Primary identity data stored on Downstream Applications is queried, imported, and written to an internal Clarity primary data store.
Internal data is processed by Clarity to perform fundamental operations such as the creation, modification, or deletion of the Entitlement data.
The processed data is then used to provision or de-provision Identities with their respective Entitlements.
Example Entitlement object:
{
"name": "Reliable Internetwork Troubleshooting Agent",
"id": "176e50df-8d23-3d8b-4d4d-1623e0602255",
"licenses": null,
"groupTypes": ["Unified"],
"mailEnabled": true,
"securityEnabled": true
}
Entitlement Properties
The different Entitlement Properties are:
Application, Entitlement, Identities, Roles, Resource/Type, Normal or High Risk, Definition, Owner, Tags, and Grant Type
Entitlements
Entitlements are grouped by their related Applications. For example, selecting the AWS application from the Entitlements screen will display all associated Entitlements. Selecting an Entitlement from the list will bring you to the details page listing any associated Identities or Roles. If, from the Identities, you select an individual Service User, it will open the associated Attributes menu with a listing of the Service User Entitlements.
Entitlement Groups
Entitlement Groups are Entitlements that have been grouped together in Clarity. These can comprise Entitlements grouped by application, role, or another purpose. This feature helps you manage multiple Entitlements for an Identity or Identities.
Nested Entitlements
Nested Entitlements are the concept that in certain Integrations an Entitlement can provide access to another Entitlement. A lot of Integrations support the concept of Groups as an Entitlement Type. Many of those Integrations also then support adding a Group to a Group, and this is what Clarity would call nested access.
Direct Assignment vs Inherited Access
Direct Assignment and Inherited are two descriptors that a Nested Entitlement can have. A common example of this would be in an Integration like Microsoft Active Directory would be Group A is a member of Group B. So by adding a user to Group A, they would also receive Group B (this is a Direct Assignment to Group A, Inherited access to Group B).
Direct vs Inherited Example
Using the example above (but expanding): Group A is a member of Group B; Group B is a member of Group C. If you add a user to Group A, they receive both Group B and Group C. This relationship between Group A and Group C is what we call Inherited.
Group A > Group B > Group C > Group D
Group A > Group B: Group A is a member of Group B
Group B > Group C: Group B is a member of Group C
Group C > Group D: Group C is a member of Group D
Example User is a member of Group A and Group D:
Group | Relationship | Description |
---|---|---|
Group A | Direct | Our example user is directly assigned to this group, so they are a direct member. |
Group B | Inherited | The example user only receives this Entitlement by being a member of Group A, so this is inherited (see Group relationships for the example above). |
Group C | Inherited | The example user only receives this Entitlement by being a member of Group A, so this is inherited (see Group relationships for the example above). |
Group D | Direct and Inherited | The example user is directly assigned to this group, so they are a direct member. The example user also received this Entitlement by being a member of Group A, so this is also inherited (see Group relationships for the example above). |
Bulk Editing Entitlements
The Bulk Edit option lets you manage multiple Entitlements at once, rather than individually. With the Bulk Edit option, you can modify the Risk, Definition, Owner, and Tags of multiple Entitlements at the same time.
Entitlement Exceptions
Within an Identity, the Add Entitlements option can grant Temporary or Permanent Exceptions to Identities and Service Users. These Exceptions let you grant Entitlements on either a permanent, or temporary basis.
Creating Entitlements
Entitlements are created when Clarity synchronizes with the corresponding Downstream Application. If there are changes made to Entitlement data after the initial sync, subsequent runs will update the associated records. A sync can be done manually, or on a schedule.
Modifying Entitlements
Modifications made to Entitlement data in the corresponding Application will be reflected in Clarity after synchronization occurs.
Deleting Entitlements
Entitlements that are deleted from an Application will be removed from Clarity on the next synchronization.
If you have any problems, contact your customer success team. You can also get in touch with our general support via email, open a support ticket. Our general support team is available Monday - Friday from 8:00 AM - 6:30 PM CST.