<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Unlocking Okta: Understanding Entitlements and Assignment Behavior
Feb 6, 2025
Okta Classic Engine
Identity Governance
Okta Identity Engine

Overview

 

Okta Entitlement Management is an efficient way to not only provision users the entitlements they need to do their job but it is also a very efficient way to enforce Least Privilege with more granular Access Certification Campaigns.  In order to take advantage of some of these features a review of the ways entitlements can be assigned and updated will be fundamental.

Applies To

  • Okta OIG Entitlements
  • Okta Identity Governance API

Entitlement Creation

If you follow the documentation here you will see that entitlements can be created either as a string based attribute or a string array.  


Datatypes

  • <string> = a list of one or more entitlement values that only one value can be assigned at a time

  • <string array> = a list of one or more entitlement values and one or more values can be assigned at a time.


Entitlement Assignment

 

Entitlements within Okta can be granted using four methods:

  • Policy rule: Birth right granting of entitlements based upon a users profile attribute and/or group membership.  This does require that the user has been assigned to the application via group or assigned individually and selected as Policy Assignment method type.
  • Entitlement Bundle: The grouping of one or more entitlements that can be requested through a self service access request.   Users assigned or not assigned to an application can request a bundle.  Users previously assigned as Policy will stay policy.  Users not already assigned to an application will be assigned via the Access Request and set to Custom Assignment method type.
  • Admin UI: Administrators can add/remove Custom Entitlements for a user on the assignment tab of an application using entitlements.  This method does require the user to be assigned either Custom or Policy Assignment method type.  When assigned a custom entitlement via the UI, the user will automatically be assigned to Custom Assignment method type and no longer be eligible for Policy rule based entitlements.  All existing entitlement bundles or policy based entitlements are converted to custom.  At this moment the Admin can then decide on which entitlements the user should keep.
  • Grant API can grant a Policy, an Entitlement Bundle or one or more Custom Entitlements. The same rules above apply for Assignment method types. 

Entitlement Assignment Types


Please see OIG Entitlement Assignment Grant Types article on how these function.

 

Entitlement Grant Behavior

 

With various ways to assign entitlements to users, it is critical to understand how those entitlements behave once assigned.

 

Entitlement values of the <string> data type function differently from those of the <string array> type, and they arrear differently in the Admin Console.  For instance, some applications like those using the “Role” attribute, restrict users to a single role at a time, such as “Appuser” or “Admin”.

By default, <string> data type entitlements allow a user to hold only one value at a time in the assignment.  In contrast, <string array> entitlements enabled users to be assigned multiple values simultaneously.  These are often referred to as additive entitlements and are commonly used to define additional permissions within an application.  For example, a user might have a role “Appuser” while also being granted specific permissions, such as “Create a PO” or “Run a Report”.  

 

Viewing a Users entitlements

Within Okta, there are multiple ways to view what entitlements are assigned to a user(s).

  • Assignment Tab, View Access Details menu
  • Users Entitlements report
  • Access Certification Campaign

In this example, we are going to focus on how to view those assigned entitlements in the Admin UI.

 

  • View Access Details Menu:  Select the Assignment tab. On the right side of each user you will see a Kebab (three vertical dots) next to each user.  That’s where the View access details menu exists.


101.png 

102.png

 

User Granted Entitlement Scenarios:

 

Policy assignment method

  1. Application is configured to use entitlements. 
    This example user is assigned to a group that is assigned to this application or individually and Policy Assignment method is selected.  

No entitlement Policy Rules exist or none apply to the example user based upon the policy rule.

User access details menu shows the following:

103.png

Note:  The user does not show any entitlements but is assigned to Policy assignment method (Type).  This means the user is eligible to be granted entitlements with Policy rules.  If a rule had changed which now targeted the example user, they would then be granted those entitlements contained within the policy rule.

The same user can also be granted additional Entitlement Bundles either through an Access Request or via the API.

 

  1. Application is configured to use entitlements. 
    This example user is assigned to a group that is assigned to this application.  

One or more Entitlement Policy rules exist granting the example user multiple Entitlements.

User access details menu shows the following:

 

104.png

Note:  This example user was granted one <string> based entitlement value called appuser under the Roles entitlement.  They were also granted three <string array> based entitlement values of perm1, perm2 and perm3 under the Permission entitlement. 

  1. The same example user then goes and requests access to an Entitlement Bundle using Access Requests.  This bundle has an expiration of 8 hours.

105.png

 

One approved, let’s now select the View access details menu and view what Carlos has assigned. 

 

106.png

Note: The example user now has entitlements that have been granted from a Policy rule and from an Entitlement Bundle.  The bundle also has an expiration date on it.   You’ll notice that this user was granted a new entitlement value under Roles.  Since Roles entitlement values are data type <string> that means that only one can be assigned at a time.  You’ll also notice that the original entitlement of “appuser” is now greyed out.  This signifies that it was replaced by a new entitlement value of “admin”.  The “admin” entitlement value is the effective value under the Roles category of entitlements.

 

Additionally, one other entitlement value was granted under the Purchasing entitlement.  This entitlement is a <string array> based entitlement therefore the “cutChecks” entitlement was added to the other <string array> types of entitlements the user already had called perm1, perm2 and perm3.  String array based entitlements are additive in this example.

 

  1. The same example user then goes and requests access to an additional Entitlement bundle using Access Requests.  This bundle has an expiration of 6 hours.

107.png

 

Note:  The example user now shows two bundles with two different expirations (can assign permanently as well) plus the entitlements granted via a Policy rule.

 

Custom assignment method assigned individually

 

  1. The example user is assigned to an application with entitlements individually and Entitlement assignment method is set to Custom during assignment and admin MUST select one or more custom entitlements.  Only “perm1” is selected.

108.png

View access details screen

 

109.png

Note: The example user shows Custom entitlements and not Policy.  This means the user will not be granted any entitlements from existing or new Policy rules.

 

  1. When a user is individually assigned to an application by Okta Administrator.  Custom Entitlement Assignment method is set to Custom values and admin assigns a minimum of one entitlement, “perm1” and the user requests and is approved for a new Entitlement Bundle. 



110.png

View access details screen

 

111.png

Note:  similar to previous examples the user can request and be granted additional Entitlement Bundles but because they are seen as Custom they will not be assigned any entitlements by way of Policy rules.

 

Custom assignment method assigned via Access Request

 

  1. The example user is NOT assigned to an application with entitlements.  The user requests access to an available Entitlement Bundles and once approved they are granted the Bundle of Entitlements and are assigned to the application but as Custom Assignment method.  This implies that the user will NEVER be eligible for entitlements through Policy rules.

 

What is visible under User Access Details:


112.png

Note:  The user is assigned to the application and is granted entitlements by way of Access Request.   In this case with an expiration on both the entitlements and the access to the application.  In this scenario, this screen does not show any Policy indicators which means this user is assigned Custom assignment Type.  They are not eligible for entitlements via Policy rule.

Converting users from Custom to Policy Assignment Type

 

  1. Users that were first assigned to an application individually and selected to assign Custom values OR users assigned to an application by way of Access Request OR users assigned to Policy Assignment method but then granted custom entitlements by the Admin in the UI

These users will be aligned with the Custom Assignment method and are not eligible for entitlements by way of Policy rules.

 

These users can be reverted to Policy but this process will revoke any custom entitlements granted by way of Access Request or admin UI.  Also under the View access details menu, select the Edit access button. 

 

113.png



114.png

Note: In this example this user was granted only by way of an Access Request.  

 

OR

 

If the admin then grants additional entitlements by way of the Admin UI the users entitlements will collapse under the Custom header and the Entitlement Bundle expiration seen previously is removed.

 

115.png

 

Visible in either previous scenario a new button is now available called Revert to policy.

When selected:

116.png

When reverted, as it states the user will lose all entitlements in their existing grants and will then be granted entitlements based upon Policy.

117.png

Summary

  • Users assigned to begin with under Policy Assignment method can be eligible for entitlements by way of Policy or Access Request Entitlement Bundles. 

  • Users assigned to begin with by way of Access Request first or assigned individually by an Admin and selected Custom values will only be eligible for entitlements by way of an access request or admin assigned. 

  • Users assigned or converted to Custom Assignment type can be reverted back to Policy but will lose any previously assigned entitlements or Entitlement Bundles. 

Best Practice: Start with a Policy Assignment type if you ever plan in the future to take advantage of Policy rules.  That way previously assigned Entitlement Bundles won’t have to be re-requested or assigned via API after being reverted.

Happy Governing!

Related References

 

Looking for Okta Identity Governance help? Visit the Okta Identity Governance Product Hub or schedule Office Hours with the Okta Identity Governance team. 

Recommended content

Still looking for help?
Loading
Unlocking Okta: Understanding Entitlements and Assignment Behavior