Overview

Okta Entitlement Management is an efficient way to not only provision users with the entitlements they need to do their job, but it is also a very efficient way to enforce Least Privilege with more granular Access Certification Campaigns.  In order to take advantage of some of these features, a review of the ways entitlements can be assigned and updated will be fundamental.

Applies To

• Okta OIG Entitlements
• Okta Identity Governance API

Entitlement Creation

According to the Create entitlements documentation, entitlements can be created either as a string-based attribute or as a string array.  

Datatypes

• <string>: a list of one or more entitlement values where only one value can be assigned at a time.
• <string array>: a list of one or more entitlement values, and one or more values can be assigned at a time.

Entitlement Assignment

Entitlements within Okta can be granted using four methods:

• Policy rule: Birthright granting of entitlements based upon a user's profile attribute and/or group membership.  This does require that the user has been assigned to the application via group or assigned individually and selected as the Policy Assignment method type.
• Entitlement Bundle: The grouping of one or more entitlements that can be requested through a self-service access request. Users, whether assigned or not assigned to an application, can request a bundle. Users previously assigned as Policy will stay Policy. Users not already assigned to an application will be assigned via the Access Request, with the Custom Assignment method type.
• Admin UI: Administrators can add/remove Custom Entitlements for a user on the assignment tab of an application using entitlements. This method does require the user to be assigned either the Custom or Policy Assignment method type.  When assigned a custom entitlement via the UI, the user will automatically be assigned to the Custom Assignment method type and no longer be eligible for Policy-rule-based entitlements. All existing entitlement bundles and policy-based entitlements are converted to custom entitlements.  At this point, the Admin can decide which entitlements the user should keep.
• Grant API: can grant a Policy, an Entitlement Bundle, or one or more Custom Entitlements. The same rules above apply to Assignment method types. 

Entitlement Assignment Types

Please see the OIG Entitlement Assignment Grant Types article on how these function.

Entitlement Grant Behavior

With various ways to assign entitlements to users, it is critical to understand how those entitlements behave once assigned.

Entitlement values of the <string> data type function differently from those of the <string array> type, and they arrear differently in the Admin Console. For instance, some applications like those using the "Role" attribute restrict users to a single role at a time, such as "Appuser" or "Admin".

By default, <string> data type entitlements allow a user to hold only one value at a time in the assignment.  In contrast, <string array> entitlements enabled users to be assigned multiple values simultaneously. These are often referred to as additive entitlements and are commonly used to define additional permissions within an application. For example, a user might have a role "Appuser" while also being granted specific permissions, such as "Create a PO" or "Run a Report".  

Viewing a User's Entitlements

Within Okta, there are multiple ways to view what entitlements are assigned to a user(s).

• Assignment tab, View access details menu
• Users Entitlements report
• Access Certification Campaign

This example focuses on how to view assigned entitlements in the Admin UI.

• View Access Details Menu: Select the Assignment tab. On the right side of each user, a Kebab (three vertical dots) icon will be available for each user. That’s where the View access details menu exists.

User Granted Entitlement Scenarios

Policy assignment method

1. Application is configured to use entitlements.
   This example user is assigned to a group that is assigned to this application, or individually, and the Policy Assignment method is selected.  

No entitlement Policy Rules exist, or none apply to the example user based upon the policy rule.

User access details menu shows the following:

NOTE: The user shows no entitlements, but is assigned to the Policy assignment method (Type). This means the user is eligible to be granted entitlements with Policy rules. If a rule had changed that now targeted the example user, they would then be granted those entitlements contained within the policy rule. The same user can also be granted additional Entitlement Bundles either through an Access Request or via the API.

2. Application is configured to use entitlements. 
   This example user is assigned to a group that is assigned to this application.  

One or more Entitlement Policy rules exist, granting the example user multiple Entitlements.

User access details menu shows the following:

NOTE: This example user was granted one <string> based entitlement value called appuser under the Roles entitlement. They were also granted three <string array> based entitlement values of perm1, perm2, and perm3 under the Permission entitlement. 

3. The same example user then goes and requests access to an Entitlement Bundle using Access Requests.  This bundle has an expiration of 8 hours.

One approved, let’s now select the View access details menu and view what Carlos has assigned. 

NOTE: The example user now has entitlements that have been granted from a Policy rule and from an Entitlement Bundle. The bundle also has an expiration date on it. Notice that this user was granted a new entitlement value under Roles. Since Roles entitlement values are data type <string> that means that only one can be assigned at a time. Also Notice that the original entitlement of "appuser" is now greyed out. This signifies that it was replaced by a new entitlement value of "admin".  The "admin" entitlement value is the effective value under the Roles category of entitlements.

Additionally, one other entitlement value was granted under the Purchasing entitlement. This entitlement is a <string array> based entitlement; therefore, the "cutChecks" entitlement was added to the other <string array> types of entitlements the user already had, called perm1, perm2, and perm3.  String array-based entitlements are additive in this example.

4. The same example user then goes and requests access to an additional Entitlement bundle using Access Requests.  This bundle has an expiration of 6 hours.

NOTE: The example user now shows two bundles with two different expirations (can assign permanently as well) plus the entitlements granted via a Policy rule.

Custom assignment method assigned individually

1. The example user is assigned to an application with entitlements individually. The Entitlement assignment method is set to Custom during assignment, and the admin must select one or more custom entitlements. Only “perm1” is selected.

View access details screen

NOTE: The example user shows Custom entitlements and not Policy. This means the user will not be granted any entitlements from existing or new Policy rules.

2. When a user is individually assigned to an application by Okta Administrator. Custom Entitlement Assignment method is set to Custom values, and the admin assigns a minimum of one entitlement, "perm1," and the user requests and is approved for a new Entitlement Bundle. 

 

View access details screen

NOTE: Similar to previous examples, the user can request and be granted additional Entitlement Bundles, but because they are seen as Custom, they will not be assigned any entitlements by way of Policy rules.

Custom assignment method assigned via Access Request

The example user is not assigned to an application with entitlements. The user requests access to an available Entitlement Bundles, and once approved, they are granted the Bundle of Entitlements and are assigned to the application, but as Custom Assignment method. This implies that the user will never be eligible for entitlements through Policy rules.

What is visible under User Access Details:

NOTE: The user is assigned to the application and is granted entitlements by way of Access Request. In this case, there is an expiration on both the entitlements and the application access.  In this scenario, this screen does not show any Policy indicators, which means this user is assigned a Custom assignment Type.  They are not eligible for entitlements via the Policy rule.

Converting users from Custom to Policy Assignment Type

Users who were first assigned to an application individually and selected to assign Custom values, or users assigned to an application by way of Access Request or users assigned to Policy Assignment method but then granted custom entitlements by the Admin in the UI

These users will be aligned with the Custom Assignment method and are not eligible for entitlements by way of Policy rules.

These users can be reverted to Policy, but this process will revoke any custom entitlements granted by way of Access Request or admin UI. Also, under the View access details menu, select the Edit access button. 

 

NOTE: In this example, this user was granted only by way of an Access Request.

Alternatively, if the admin then grants additional entitlements by way of the Admin UI, the user's entitlements will collapse under the Custom header, and the Entitlement Bundle expiration seen previously is removed.

Visible in either of the previous scenarios, a new button is now available called Revert to policy.

• When selected:

• When reverted, as stated, the user will lose all entitlements in their existing grants and will then be granted entitlements based on Policy.

Summary

• Users assigned to begin with under the Policy Assignment method may be eligible for entitlements via Policy or Access Request Entitlement Bundles. 
• Users assigned to begin with by way of an Access Request first, or assigned individually by an Admin, and selected Custom values will only be eligible for entitlements by way of an access request or admin assigned. 
• Users assigned or converted to the Custom Assignment type can be reverted back to Policy, but will lose any previously assigned entitlements or Entitlement Bundles. 

Happy Governing!

Related References

• To view feature requests and upvote product enhancement requests, please visit the Okta Ideas page.
• Guide on using the Okta Identity Governance APIs
• OIG Assignment Grant Types
• Understanding Entitlement Grants
• Introducing “Request on Behalf of” for Okta Identity Governance

Looking for Okta Identity Governance help? Visit the Okta Identity Governance Product Hub or schedule Office Hours with the Okta Identity Governance team.