Entitlements
The Entitlements section contains two categories: My Entitlements and Catalog.
An Entitlement is an abstracted representation of one or more levels of access in one or more systems. Entitlements are managed within RapidIdentity. An Entitlement assignment to an Identity should result in RapidIdentity updating that system to grant the appropriate access to the recipient. An Entitlement can represent an Account, Memberships (group or roles), and/or Permissions in a local system.
Entitlements can include various configurations that can help define its function and the person or groups, along with specific attributes who can request them. There are prerequisites that need to be defined in order to create entitlements.
Prerequisites
A workflow is required for users to request an entitlement. See Workflows for a look into this process.
As an example, an active Request Time Off workflow can feed into an Entitlement and would need to be created before the entitlement can be created or requested.
Settings
The Settings menu is located at the bottom left of the screen and contains three different sections: General, Categories, and Data Classifications.
 |
General
The General setting is used to enable or disable the ability to do wildcard searches in any tab. It also allows the administrator to set the maximum attachment size, in terms of megabytes. The General settings include the ability to change the Access Control to predetermine which users will have access to the provided content.
 |
Categories
The categories in which the particular resources belong can be viewed in this section. The list of categories can be filtered by the name of the categories, the description, or the status. From this screen, the administrator can delete categories by clicking the box and pressing Delete, or view its details by clicking on the Details button.
 |
Edit a Category
Existing categories can be edited by clicking on the Edit button, located at the bottom of a detailed section.
 |
The table below lists the mandatory fields that can be edited. Other fields can be added to suit the organization's needs.
Field Name | Description |
|---|---|
Name | The name of the category that will appear in the category section. |
Description | A brief description of a category can be included in this field and is the only field that is optional. |
Status | The status of the category can be set to active or inactive. |
Access Control | Specify whether access control should exist, and if so whether it is role-based or attribute-based. |
Once the necessary fields are edited, click Save.
 |
Add a Category
New categories can be added by clicking the Add Category button located at the top right of the screen.
 |
The fields for Add a Category are the same as those for Edit a Category. Once the necessary fields are edited, click Save.
Data Classifications
The data classifications in which entitlements belong can be viewed in this section. The list of categories can be filtered by the name of the data classification, the description, or the status. From this screen, the administrator can delete data classifications by clicking the box next to the associated data classification and pressing Delete, or view its details by clicking on the Details button.
 |
Edit a Data Classification
Existing data classifications can be edited by clicking on the Edit button, located at the bottom of a detailed section.
 |
The table below lists the fields that can be edited.
Field Title | Description |
|---|---|
Name | The name of the data classification that will appear in the corresponding section. |
Description | A brief description of a category can be included in this field and is the only field that is optional. |
Level | A level is selected to assist in the classification's grouping and display and can be displayed in numeric order. |
Color | A color selection assists in the classification's grouping and display. |
Once the necessary fields are edited, click Save.
Add a Data Classification
New Data Classifications can be added by clicking Add Data Classification located at the top right of the screen.
The Add Data Classification menu has the same fields as Edit a Data Classification. Once the necessary fields are populated, click Save.
 |
My Entitlements
The My Entitlements interface allows users to view all entitlements that have been granted to them at any time, including expired entitlements.
Users can choose either of two display options to view entitlements: List or Grid.
 |
The grid interface displays the entitlements as cards containing information that display the entitlement name, description, and status.
 |
Hovering the mouse over the entitlement card, addition action can be taken. The entitlement details button will appear, along with a Revoke or Request button, depending on the entitlement's state.
|
|
If action cannot be taken, the button will be replaced with one that corresponds to the current status of the entitlement.
 |
The list view provides an entitlement table that allows users to see the expiration date, category, and data classification pertaining to the entitlement.
 |
Users can also click History to view their history with a particular entitlement and Details to view any configured information provided with that entitlement.
The status of the entitlement is displayed as a symbol located between the checkbox and the entitlement logo and name.
Symbol | Description | |
|---|---|---|
| If users do not have an association with an entitlement, there will be whitespace in this field. | |
| This symbol represents a failed request. | |
| This symbol represents a pending request. | |
| This symbol represents an approved request. |
Active entitlements can be revoked by selecting the entitlement and clicking Revoke.
If a user is not currently associated with an entitlement, the entitlement can be selected and the request can be submitted by clicking Re-Request.
Users can also print the data for their My Entitlements interface by clicking the Print button.
Catalog
The Catalog interface displays the collection of Entitlements that administrators define and make available for authorized users to request. Additionally, this section allows administrators to create and manage entitlements.
Users can only request those entitlements that show available to request. All entitlements display for administrators.
Entitlement Status Symbol | Symbol Function | |
|---|---|---|
| The "eye" symbol indicates that the entitlement is active. | |
| The "strikethrough eye" indicates that the entitlement is inactive. |
The checkbox allows an entitlement to be selected. The buttons appearing in the footer depend on how many entitlements are selected at a given time. If one entitlement is selected, the footer will display the ability to Request, Delete or Clone the selected entitlement. If two or more entitlements are selected, the footer will display the ability to Request or Delete the selected entitlements.
Entitlement details can be viewed by clicking Details. The details section contains three tabs: General , Activity, and Relationships.
 |
Initially, only the owner, data classification, and expiration display in the General tab. Administrators can click the Show Advanced Options to display the fields available to edit in relation to the organization's environment when creating a new entitlement. The table below details the fields available to edit and a description.
Field Name | Description | |
|---|---|---|
Icon | Icon to associate with the entitlement when it is displayed in the UI. It can be uploaded from the user's local machine or selected from RapidIdentity's existing catalog of icons. | |
Name | Descriptive display name for the entitlement. | |
Description | A brief description can be entered for the entitlement, but is not required. | |
Owners | Displays the owner(s) of the entitlement. NoteAn entitlement owner is the primary contact for the entitlement and is responsible for Certification of entitlements or Extension of those that are about to expire. More than one entitlement owner can be assigned. | |
Data Classification | The Data Classification associated with the Entitlement. This serves as a label that describes the data associated with the entitlement. NoteIf no data classifications are present, select Create New and enter information for the Name, Description, Level, and Color fields. Example:
| |
Expiration | Defines when a granted entitlement will expire if not re-certified or extended by an Owner of the entitlement. To define the resource as never expiring, None can be selected. Click the desired option and, if selecting days or date, click the listed value to configure. NoteOptions available to select from:
| |
Time-based | If selected, the entitlement will expire in an indicated time (years, months, weeks, days, hours, minutes) from the time the entitlement is approved. NoteThe RapidIdentity jobs that run to expire entitlements run on a preset time interval. The exact time expected for an entitlement to expire may differ slightly from its actual expiration time. | |
Campaign-based | If selected, the entitlement expires on the selected date every year. | |
Binding | Number of instances per user allowed and whether they are bound, un-bound, single, or composite.
NoteAfter selecting a binding, it is fixed. If an error occurs, the entitlement must be removed completely and the process to create a new entitlement must be reinitiated. | |
Status | Can be set to Active or Inactive. | |
Access Control | Required Field - Used to determine if attributes or roles will control access to the entitlement. If set to Attribute-based, the Attribute ACL needs to be defined. This would be the list of attributes in which will be allowed access to the entitlement. NoteThis can be set to None. | |
Included Roles | Listed as a Required Field - This field determines the role(s) who will have access to this entitlement. Action on this section is only required if Role-based Access Control is selected. | |
Excluded Roles | Listed as a Required Field - This field determines the role(s) who will not have access to this entitlement. Action on this section is only required if Role-based Access Control is selected. | |
Priority | Orders this resource on the dashboard and requests tab. A priority of -1 gives it no special ordering. 1 is the top priority and is listed first. | |
Disable Certification/Extension | Disallows re-certification and extension of the granted entitlement. | |
May Not be Requested in UI | This prevents users from being able to request this particular entitlement. | |
Categories | Allows for categorization of the entitlements. NoteIf no Categories are present, select Create New and provide a Name and Description and set the Status to Active. | |
Grant Workflow | The Workflow Definition to use when the Entitlement is being granted. | |
Grant Workflow Form | If the Grant Workflow has forms defined, a form that should be used for the Entitlement grant process may be selected. | |
Revoke Workflow | The Workflow Definition to use when the Entitlement is being revoked. If not chosen, it defaults to the Grant Workflow. NoteThis option is not available for MULTI_UNBOUND Entitlements since those are not revocable. | |
Revoke Workflow Form | If the Revoke Workflow has forms defined, pick a form that should be used for the Entitlement revoke process. NoteThis option is not available for MULTI_UNBOUND Entitlements since those are not revocable. |
Relationships
Displays any configured conflicts or dependencies. This section allows conflicts and dependencies to be defined or removed by dragging the elements to the desired sections.
Example
If Entitlement A is a dependency of Entitlement B, then you can only request Entitlement B if you have or are in the process of obtaining Entitlement A. In this situation, you would edit Entitlement B and add Entitlement A to its list of dependencies.
Entitled Users
Administrators and Entitlement owners can view users who are associated with the specified entitlement by clicking the Users button.
 |
 |
This allows the administrator or entitlement owner to view a list of entitled users for the selected entitlement. If no users are associated with the entitlement, the screen will display, "No results found."
 |
If a user is not currently associated with an entitlement, the entitlement can be requested by clicking the Request button on the entitlement row in the list view, or on the card in the grid view.
If a user is not associated with any Entitlements, the screen will read "No Entitlements Found."
Add an Entitlement
Entitlements can be added from the Catalog interface. Follow these steps to add an entitlement.
Select the Add Entitlement button located in the upper right portion of the window to create an entitlement.
There will be two tabs: General and Relationships.
Add Entitlement - General Tab
The General tab allows Reports Admins to configure the settings that drive Entitlement permissions and define their workflows.
Field Name | Description | |
|---|---|---|
Icon | Icon to associate with the entitlement when it is displayed in the UI. It can be uploaded from the user's local machine or selected from RapidIdentity's existing catalog of icons. | |
Name | Descriptive display name for the entitlement. | |
Description | A brief description can be entered for the entitlement, but is not required. | |
Owners | Displays the owner(s) of the entitlement. NoteAn entitlement owner is the primary contact for the entitlement and is responsible for Certification of entitlements or Extension of those that are about to expire. More than one entitlement owner can be assigned. | |
Data Classification | The Data Classification associated with the Entitlement. This serves as a label that describes the data associated with the entitlement. NoteIf no data classifications are present, select Create New and enter information for the Name, Description, Level, and Color fields. Example:
| |
Expiration | Defines when a granted entitlement will expire if not re-certified or extended by an Owner of the entitlement. To define the resource as never expiring, None can be selected. Click the desired option and, if selecting days or date, click the listed value to configure. NoteOptions available to select from:
| |
Time-based | If selected, the entitlement will expire in an indicated time (years, months, weeks, days, hours, minutes) from the time the entitlement is approved. NoteThe RapidIdentity jobs that run to expire entitlements run on a preset time interval. The exact time expected for an entitlement to expire may differ slightly from its actual expiration time. | |
Campaign-based | If selected, the entitlement expires on the selected date every year. | |
Binding | Number of instances per user allowed and whether they are bound, un-bound, single, or composite.
NoteAfter selecting a binding, it is fixed. If an error occurs, the entitlement must be removed completely and the process to create a new entitlement must be reinitiated. | |
Status | Can be set to Active or Inactive. | |
Access Control | Required Field - Used to determine if attributes or roles will control access to the entitlement. If set to Attribute-based, the Attribute ACL needs to be defined. This would be the list of attributes in which will be allowed access to the entitlement. NoteThis can be set to None. | |
Included Roles | Listed as a Required Field - This field determines the role(s) who will have access to this entitlement. Action on this section is only required if Role-based Access Control is selected. | |
Excluded Roles | Listed as a Required Field - This field determines the role(s) who will not have access to this entitlement. Action on this section is only required if Role-based Access Control is selected. | |
Priority | Orders this resource on the dashboard and requests tab. A priority of -1 gives it no special ordering. 1 is the top priority and is listed first. | |
Disable Certification/Extension | Disallows re-certification and extension of the granted entitlement. | |
May Not be Requested in UI | This prevents users from being able to request this particular entitlement. | |
Categories | Allows for categorization of the entitlements. NoteIf no Categories are present, select Create New and provide a Name and Description and set the Status to Active. | |
Grant Workflow | The Workflow Definition to use when the Entitlement is being granted. | |
Grant Workflow Form | If the Grant Workflow has forms defined, a form that should be used for the Entitlement grant process may be selected. | |
Revoke Workflow | The Workflow Definition to use when the Entitlement is being revoked. If not chosen, it defaults to the Grant Workflow. NoteThis option is not available for MULTI_UNBOUND Entitlements since those are not revocable. | |
Revoke Workflow Form | If the Revoke Workflow has forms defined, pick a form that should be used for the Entitlement revoke process. NoteThis option is not available for MULTI_UNBOUND Entitlements since those are not revocable. |
Add Entitlement - Relationships Tab
This is where Requests Admins set up relationships between entitlements. To define whether another existing entitlement is a conflict or a dependency of the current entitlement being added, drag the chosen Available Entitlement to either the Conflicts or Dependencies column upon creation.
Note
If Entitlement A is a dependency of Entitlement B, then a user can only request Entitlement B if they have or are in the process of obtaining Entitlement A.
If Entitlement A is a conflict with Entitlement B, then a user with Entitlement A cannot be approved for Entitlement B, or vice versa.
Request an Entitlement
Follow these two steps to request an entitlement.
For an entitlement that has previously been requested, click the Request button on the entitlement row in the listed view (or card in the grid view). For new entitlements, select one or more entitlements from the catalog and click the Request button.
Note
Adding text and comments to the request is optional.
Click Request.
Requesting Multiple Entitlements
More than one entitlement can be requested at a time. Users can select multiple entitlements and click Request. The Request dialog allows each entitlement to be requested separately and users can optionally add comments to each request. The user will click Next until the last entitlement being requested is presented.
 |
Then, click Request to complete the multiple entitlement request.
 |