An Entitlement is a specific function, policy, resource, or license that is granted by a Downstream Application. Entitlements can also be consolidated into Entitlement Groups. Entitlements are fundamental to Identity governance as they clearly define the actions that can be taken by users in an application. Entitlements enable an organization's ability to deploy Role-Based Access Control (RBAC), achieve Compliance, and progress toward Zero Trust. Entitlements are generated automatically from your Downstream Applications.
What generates an Entitlement
Entitlement data is sourced from your Downstream Application. After configuring a Downstream Application within Clarity and performing a sync, Clarity will load the relevant user and entitlement data provided by the application.
What an Entitlement does
Entitlements are specific functions, policies, resources, or licenses granted to Service Users by the Downstream Application. These Entitlements provide a Service User with their effective access to different Downstream Applications, at different security levels. Temporary and permanent Exceptions to entitlements can be created for an individual Service User.
How Entitlements work
- Primary identity data stored on Downstream Applications is queried, imported, and written to an internal Clarity primary data store.
- Internal data is processed by Clarity to perform fundamental operations such as the creation, modification, or deletion of the Entitlement data.
- The processed data is then used to provision or de-provision Identities with their respective Entitlements.
Example Entitlement object:
"name": "Reliable Internetwork Troubleshooting Agent",
The different Entitlement Properties are:
Application, Entitlement, Identities, Roles, Resource/Type, Normal or High Risk, Definition, Owner, Tags, and Grant Type
Entitlements are grouped by their related Applications. For example, selecting the AWS application from the Entitlements screen will display all associated Entitlements. Selecting an Entitlement from the list will bring you to the details page listing any associated Identities or Roles. If, from the Identities, you select an individual Service User, it will open the associated Attributes menu with a listing of the Service User Entitlements.
Entitlement Groups are Entitlements that have been grouped together based on need. These can comprise Entitlements grouped by application, role, or another purpose. This feature helps simplify managing multiple Entitlements for an Identity or Identities.
Bulk Editing Entitlements
The Bulk Edit option lets you manage multiple Entitlements at once, rather than individually. With the Bulk Edit option, you can modify the Risk, Definition, Owner, and Tags of multiple Entitlements at the same time.
Within an Identity, the Add Entitlements option can grant Temporary or Permanent Exceptions to Identities and Service Users. These Exceptions let you grant Entitlements on either a permanent, or temporary basis.
Entitlements are created when Clarity synchronizes with the corresponding Downstream Application. If there are changes made to Entitlement data after the initial sync, subsequent runs will update the associated records. A sync can be done manually, or on a schedule.
Modifications made to Entitlement data in the corresponding Application will be reflected in Clarity after synchronization occurs.
Entitlements that are deleted from an Application will be removed from Clarity on the next synchronization.
If you have any problems, contact your customer success team. You can also get in touch with our general support via email, open a support ticket. Our general support team is available Monday - Friday from 8:00 AM - 6:30 PM CST.