What are Entitlements?
  • 02 Dec 2024
  • 6 Minutes to read
  • Dark
    Light
  • PDF

What are Entitlements?

  • Dark
    Light
  • PDF

Article summary

An Entitlement is a specific function, policy, resource, or license that is granted by a Downstream Application. Entitlements can also be consolidated into Entitlement Groups. Entitlements are fundamental to Identity governance as they clearly define the actions that can be taken by users in an application. Entitlements enable an organization's ability to deploy Role-Based Access Control (RBAC), achieve Compliance, and progress toward Zero Trust. Entitlements are generated automatically from your Downstream Applications.


What generates an Entitlement

Entitlement data is sourced from your Downstream Application. After configuring a Downstream Application within Clarity and performing a sync, Clarity will load the relevant user and entitlement data provided by the application.


What an Entitlement does

Entitlements are specific functions, policies, resources, or licenses granted to Service Users by the Downstream Application. These Entitlements provide a Service User with their effective access to different Downstream Applications, at different security levels. Temporary and permanent Exceptions to entitlements can be created for an individual Service User.


How Entitlements work

  1. Primary identity data stored on Downstream Applications is queried, imported, and written to an internal Clarity primary data store.

  2. Internal data is processed by Clarity to perform fundamental operations such as the creation, modification, or deletion of the Entitlement data.

  3. The processed data is then used to provision or de-provision Identities with their respective Entitlements.

Example Entitlement object:

{
    "name": "Reliable Internetwork Troubleshooting Agent",
    "id": "176e50df-8d23-3d8b-4d4d-1623e0602255",
    "licenses": null, 
    "groupTypes": ["Unified"], 
    "mailEnabled": true, 
    "securityEnabled": true
}

Entitlement Properties

The different Entitlement Properties are:

Application, Entitlement, Identities, Roles, Resource/Type, Normal or High Risk, Definition, Owner, Tags, and Grant Type

Entitlements

Entitlements are grouped by their related Applications. For example, selecting the AWS application from the Entitlements screen will display all associated Entitlements. Selecting an Entitlement from the list will bring you to the details page listing any associated Identities or Roles. If, from the Identities, you select an individual Service User, it will open the associated Attributes menu with a listing of the Service User Entitlements.

Entitlement Groups

Entitlement Groups are Entitlements that have been grouped together in Clarity. These can comprise Entitlements grouped by application, role, or another purpose. This feature helps you manage multiple Entitlements for an Identity or Identities.

Nested Entitlements

Nested Entitlements are the concept that in certain Integrations an Entitlement can provide access to another Entitlement.  A lot of Integrations support the concept of Groups as an Entitlement Type. Many of those Integrations also then support adding a Group to a Group, and this is what Clarity would call nested access.

Direct Assignment vs Inherited Access

Direct Assignment and Inherited are two descriptors that a Nested Entitlement can have. A common example of this would be in an Integration like Microsoft Active Directory would be Group A is a member of Group B. So by adding a user to Group A, they would also receive Group B (this is a Direct Assignment to Group A, Inherited access to Group B).

Direct vs Inherited Example

Using the example above (but expanding): Group A is a member of Group B; Group B is a member of Group C. If you add a user to Group A, they receive both Group B and Group C.  This relationship between Group A and Group C is what we call Inherited.

Group A > Group B > Group C > Group D
Group A > Group B: Group A is a member of Group B
Group B > Group C: Group B is a member of Group C
Group C > Group D: Group C is a member of Group D

Example User is a member of Group A and Group D:

Group

Relationship

Description

Group A

Direct

Our example user is directly assigned to this group, so they are a direct member.

Group B

Inherited

The example user only receives this Entitlement by being a member of Group A, so this is inherited (see Group relationships for the example above).

Group C

Inherited

The example user only receives this Entitlement by being a member of Group A, so this is inherited (see Group relationships for the example above).

Group D

Direct and Inherited

The example user is directly assigned to this group, so they are a direct member.

The example user also received this Entitlement by being a member of Group A, so this is also inherited (see Group relationships for the example above).

Bulk Editing Entitlements

The Bulk Edit option lets you manage multiple Entitlements at once, rather than individually. With the Bulk Edit option, you can modify the Risk, Definition, Owner, and Tags of multiple Entitlements at the same time.

Entitlement Exceptions

Within an Identity, the Add Entitlements option can grant Temporary or Permanent Exceptions to Identities and Service Users. These Exceptions let you grant Entitlements on either a permanent, or temporary basis.


Creating Entitlements

Entitlements are created when Clarity synchronizes with the corresponding Downstream Application. If there are changes made to Entitlement data after the initial sync, subsequent runs will update the associated records. A sync can be done manually, or on a schedule.

Modifying Entitlements

Modifications made to Entitlement data in the corresponding Application will be reflected in Clarity after synchronization occurs.

Deleting Entitlements

Entitlements that are deleted from an Application will be removed from Clarity on the next synchronization.


If you have any problems, contact your customer success team. You can also get in touch with our general support via email, open a support ticket. Our general support team is available Monday - Friday from 8:00 AM - 6:30 PM CST.


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.