Familiarity with the various methods for granting entitlements is crucial. To ensure a shared understanding, let us first establish a clear definition of entitlements. Following this, guidance will be provided on how to best utilize them within an organization.
Overview
Entitlement Management offers a simple and powerful way to ensure that users in an organization have the right permissions for each resource. The feature is integrated with Access Requests and Access Certifications to help manage and monitor users' access to resources. It is also possible to manage their level of access within these resources and how the access was granted from the Admin Console. Use Entitlement Management to help meet audit and compliance requirements.
With Entitlement Management, it is possible to create, store, and manage application entitlements in Okta. Assign entitlements using policy or individually from the Admin Console. This reduces the accumulation of elevated user privileges. It also simplifies the Universal Directory setup because it is not necessary to use groups to govern users' application entitlements.
Group the entitlements into bundles for users to request them through self-service Access Requests. The requests are automatically routed to one or more approvers for action. This improves efficiency for the IT teams. Use Access Certifications campaigns along with Entitlement Management to audit and review user entitlements.
It is possible to obtain User entitlements, past access requests, past campaign details, and past campaign summary reports.
Applies To
- Access Certifications
- Access Requests (Request Types and Conditions)
- Entitlement Management
GRANT TYPES
Entitlements can be granted in 4 different ways using Okta Identity Governance:
- Policy Rules
- Entitlement Bundles
- Admin granted entitlements in UI
- Granting entitlements via API
Policy Rules
Here is the guide on how to create policy rules.
Policy rules are created right within the Governance tab. Think of Policy Rules as the Group Rules of entitlements. They are Birthright-level policies.
Below is an example view of policy rules related to a test instance of Salesforce:
Entitlement Bundles
Here is the guide on how to create Entitlement Bundles.
Bundles are consumable via Request Types and Access Request Conditions. They are self-service entitlement bundles.
Below is an example view of entitlement Bundles related to a test instance of Salesforce.
Admin granted entitlements in UI
Administrators can easily grant additional entitlements in the UI. However, when assigning custom entitlements, no new policy grants will apply to the user until they are reverted to policy again.
To assign a new custom entitlement:
- Log in to Okta as an Administrator with the Access Certification role or Super Admin.
- Select application using Okta Identity Governance and Entitlements.
- Select the Assignment tab.
- Locate a user and click the 3 dots and select View access details.
- Click Edit access on the next screen.
- Click Customize entitlements.
- Select additional custom entitlements.
NOTE: The caution when assigning customer entitlements.
- Click Save.
Admin granted entitlements via API
Administrators can easily grant additional entitlements using the API. The API allows assigning a user to a Policy, assigning a bundle, and assigning custom entitlements. NOTE: When assigning custom entitlements, no new policy grants will apply to the user until they are reverted to policy again.
Happy Governing!
Related References
Training:
Below are other resources that can help become familiar with Okta Identity Governance:
- There are two videos about Access Certification campaigns and Access Request in this article: Okta Identity Governance
- Corporate blog: Okta Identity Governance: A Unified IAM and Governance Solution
- Guide on how to use the Okta Identity Governance API’s
Learn about the new capabilities available, Access Requests, Access Certifications, and more in this FAQ: Identity Governance FAQs
Limitations: Existing Cloud Entitlement Limitations
