Clarity Entitlements

Much like Downstream Applications connected to Clarity, the entitlements listed under the Clarity Application are used to define access to Clarity itself. Clarity has several entitlements, each capable of granting a different type or level of access to the application. Some entitlements can be granted automatically when they login with SSO for the first time, see the section below for details: Granting Access.

Clarity Entitlements

The tables below describe functionality in Clarity and what Clarity Entitlements have permissions on those features. Please see the section below regarding granting someone access to Clarity.

Access Reviews

Alerts

Applications

Entitlements

File Exports (Access Reviews and Reports)

Identities

Reports

Roles

Settings (Clarity)

Tags

Workflows

Application, Role, and Entitlement Owners

Application Owner

The following are additional permissions granted to any Identities assigned as an Application Owner, limited to the specific application(s):

• View the application admin and marketplace
• View details about their application
• Update configurations for their application
• Delete their application
• Perform a manual sync of their application
• Delete attribute mappings for their application
• View entitlement details for their application's entitlements
• View the entitlements (list) admin

Role Owner

The following are additional permissions granted to any Identities assigned as a Role Owner, limited to the specific role(s):

• Create new roles
• Manage Role Access for their role

Entitlement Owner

The following are additional permissions granted to any Identities assigned as a Entitlement Owner, limited to the specific entitlement(s):

• Update entitlements they own
• View details about entitlements they own
• View the entitlements (list) admin

Manager, Base User, and End User

End Users and Managers have access to features in Clarity not outlined above, such as Self Service Access Requests, Approvals, and some Alert activities. They do not have any Global access on those items, which is why those entitlements aren't listed in the tables above.

Manager

Managers, similar to Access Certification Admins or Admins, can be set as the Default Reviewer. This is the standard entitlement to provide to someone who needs to perform the Review portion of an Access Review.

Base User

Base User is automatically granted and simply enables the ability for the Identity to log into the platform. See below about the Grant Clarity Login button.

End User

End User is automatically granted as described below, and provides the lowest level of access within Clarity. This entitlement primarily grants access to the Self Service Portal.

Granting Access

Grant Clarity Login

When you click the Grant Clarity Login button depicted below (this is found on the Identity page for the individual user), this enables the account to Login by granting them the Base User and End User entitlements.

First-time login with SSO

If you have SSO correctly configured for Clarity and login for the first time:

1. User attempts to log in to Clarity, which redirects to the SSO provider of your choice. The user enters their credentials into this service.
2. SSO Provider either approves or denies the login attempt (based on group membership in SSO Provider), and tells Clarity whether the login was successful. If successful, then the process continues to steps 3 and 4.
3. Clarity will add the Base User and End User entitlements, and add the user to the list of accounts with the ability to log in.
4. Clarity will also grant Manager entitlement if the Identity is assigned as a Reviewer on any active Access Reviews (at the time of first login only).

Need help?