This article provides answers to frequently asked questions about the Entitlement Management Platform
- For more information about Entitlement Management, refer to Frequently Asked Questions About Entitlement Management.
- For more information about Integrations (Connectors) for Entitlement Management, refer to Frequently Asked Questions About Integrations (Connectors) for Entitlement Management.
- For more information about Governance for Entitlements, refer to Frequently Asked Questions About Governance for Entitlements.
- For more information about Integration with Access Requests and Access Certifications, refer to Frequently Asked Questions About Integration with Access Requests and Access Certifications.
- For more information about Okta Identity Governance, refer to Identity Governance FAQs
Table of Contents
What are some new concepts that are introduced with Entitlement Management?
Can I turn on Entitlement Management for an app that leverages Fed Broker Mode?
How can I enable Entitlement Management for an eligible application in my Okta Org?
Which admins in Okta can manage entitlements (including adding entitlements, bundles, policy rules)?
Which admins in Okta can assign entitlements to users?
Which admins in Okta can view what entitlements users have?
Which admins are assigned to the Okta Entitlement Management app?
Are there any scale limitations for Entitlement Management?
Can I use Workflows or Okta APIs to create entitlements or entitlement bundles?
Once I create an entitlement or a bundle, how can I assign those entitlements?
Can I still use groups to assign entitlements, or must I create entitlement policies?
How often are policy rules evaluated?
If a user’s entitlements are updated, will the update be pushed to the downstream app?
Can I get a grant from multiple sources (e.g., Custom, Policy, and Access Requests)?
How does entitlement evaluation work if I have grants from multiple sources?
Will the new assignments experience be rolled out for all applications?
What are some new concepts that are introduced with Entitlement Management?
|
Concept Name |
Description |
|---|---|
|
Entitlement |
An entitlement is the category of permissions that allows users to perform specific actions in an application. For example, Role, License |
|
Entitlement Value |
The specific permission of the Entitlement that can be set for users. For example, a Business Operations Manager may be an Entitlement Value of Role. |
|
Bundle |
A collection of related entitlements: entitlement value key-value pairs that can be assigned together as a single unit. For example, the Business Ops bundle may include Role: Business Operations Manager and License: Standard. |
|
Policy |
Programmatic rules that can use attributes to automate entitlement assignments. For example, If the user's department is BizOps, then assign the Role: Business Operations Manager. |
|
Grant |
The individual instance or event that changes a user’s entitlements. For example, John may receive a policy grant that assigned him the Role: Business Operations Manager. He can subsequently request for additional entitlements and those instances will create additional grants for John. |
Can I turn on Entitlement Management for an app that leverages Fed Broker Mode?
No.
How can I enable Entitlement Management for an eligible application in my Okta Org?
On the General tab of the eligible application, find the Identity Governance - Governance Engine section, click “Edit,” and then ‘Enable’.
Which admins in Okta can manage entitlements (including adding entitlements, bundles, policy rules)?
- Super admins
- App admins for the app(s) they can manage
- Custom roles with “Manage applications” permission for the app(s) they can manage
Which admins in Okta can assign entitlements to users?
- Super admins
- App admins for the app(s) they can manage
- Custom roles with “Manage applications” permission for the app(s) they can manage
Which admins in Okta can view what entitlements users have?
- Super admins
- App admins for the app(s) they can manage
- Read-only admins for the app(s) they can view
- Custom roles with “Manage applications” permission for the app(s) they can manage
Which admins are assigned to the Okta Entitlement Management app?
- Super admins
- App admins
- Read-only admins
- Custom roles with “Manage applications” permission
Are there any scale limitations for Entitlement Management?
|
EA limits (enforced) | |
|---|---|
|
Per org limits | |
|
Number of Entitlement properties per org |
10K |
|
Number of entitlement values per org |
150K |
|
Number of entitlement bundles per org |
1000 |
|
Per resource limits | |
|
Number of policy rules per resource/application |
100 |
Can I use Workflows or Okta APIs to create entitlements or entitlement bundles?
You can use Workflows to create entitlements or bundles via the Entitlement Management APIs. However, please note that in order to access these APIs with Workflows, you will have to:
- Go to the Okta Workflows App in the Admin console and add the following API scopes to the Workflows application
- Okta.governance.entitlements.manage
- Okta.governance.entitlements.read
- Create a custom connection to Okta using a new API token to leverage these API's
- Note: This step is required until the first week of October. Afterwards, you can use the Okta connector.
Please use our API docs to get more information on the API structure and how to leverage these APIs to programmatically create entitlements or entitlement bundles.
Once I create an entitlement or a bundle, how can I assign those entitlements?
Entitlements can be assigned by policy rules or directly assigned manually by custom assignment. Entitlement Bundles can only be requested via Okta Access Requests at this time. For more information on configuring Access Requests, please see this help page.
Can I still use groups to assign entitlements, or must I create entitlement policies?
The recommended approach is to create entitlement policies to consolidate your business rules that assign entitlements in one place for a resource and minimize the need to manage many groups. However, group membership can be used as a criterion in the entitlement policy.
How often are policy rules evaluated?
We aim to evaluate policy rules for new assignments ~immediately after the assignment and run a policy re-evaluation every 10 minutes thereafter to check for any changes. Depending on the number of users and policy rules in the org, times may vary.
If a user’s entitlements are updated, will the update be pushed to the downstream app?
Yes, we will support pushing user entitlement updates for 5 applications out-of-the-box (O365, SFDC, NetSuite, Box, Google Workspace) and for any apps that leverage the new SCIM framework for Entitlements. If an admin configures the application to update users, Okta will push the user’s profile and entitlements anytime there is a change to the user’s profile.
For other applications, customers may utilize Workflows to update downstream applications by utilizing our events and APIs.
Can I get a grant from multiple sources (e.g., Custom, Policy, and Access Requests)?
Yes. Users can get grants from Policy + Access Requests and Custom + Access Requests. Policy + Custom is not supported at this time.
How does entitlement evaluation work if I have grants from multiple sources?
For multi-valued entitlements (i.e., the downstream app accepts more than 1 value for this entitlement), The user will be given the superset of all values they receive through all the grants.
For single-value entitlements (i.e., the downstream app accepts only 1 value for this entitlement): The user will be granted at most one value based on the below order.
In priority
- The most recent non-policy grant
- Highest priority policy rule (lowest priority number)
Will the new assignments experience be rolled out for all applications?
We are only rolling out the new assignments experience for the Governance Engine-enabled applications.
