Managing Entitlements in IdentityNow

Managing Entitlements in IdentityNow

If you've loaded account information into IdentityNow from a source, you've also loaded or aggregated a set of entitlements associated with that source. Entitlements refer to the access rights, including group memberships or access permissions, that have been granted to a user who has an account on the related source. 

Aggregating entitlements you've already established allows IdentityNow to make sure all your users have access to everything they need, and automatically creates an entitlement catalog linked to that direct connect source.

Even though account aggregation loads account data from a source, you might only have one entitlement associated with each account. To make sure your users have access to everything they need, you should also aggregate additional entitlements separately.

Loading additional entitlements on a source:

  • Defines the entire catalog of entitlements associated with the source, including raw entitlement data or user-friendly descriptions of the entitlements.
  • Allows you to create an access profile, which can be used to provision apps or other access.
  • Updates any entitlements associated with user accounts that were already loaded into IdentityNow. 
  • Aggregates any parent-child relationships between entitlements.

Some types of newly created sources can aggregate the type of entitlement and the create, delete, read, and update permissions associated with them. To configure existing sources to support this functionality, update the entitlement schema associated with the source using the updateSchema API

NOTE: If an entitlement is aggregated as part of an account aggregation, but IdentityNow doesn't detect it in any entitlement aggregations, the entitlement will be deleted from your site.


Creating an Entitlement Catalog for a Direct Connect Source


You can aggregate entitlements from a direct connect source just as you can aggregate accounts. You can also configure IdentityNow to aggregate entitlements on a schedule.

PREREQUISITE: Load accounts from a supported source. The use of emojis in entitlement names and descriptions is not supported – only string values are accepted.

Complete the following steps:

1. In the Admin interface, go to Connections > Sources.

2. Click a direct connect source.

3. Go to Import Data > Entitlement Aggregation.

4. Select one of the options described below:

  • Manual Aggregation - The aggregation begins immediately and occurs once.
dc src entitlements.png
  • Daily - The aggregation runs every day at the time and interval scheduled:
    • Time - The time of day at which the aggregation starts.
    • Recurring Every - Allows you set an additional interval within the day. Set to 24 hours to aggregate once a day.
daily.png
NOTE: The recurrence depends on the starting time. For example, if the Time is set to 2 pm and the recurrence is set to 8 hours, aggregation will occur twice every day.
  • Weekly - The aggregation runs every week:
    • Day - The day on which the aggregation runs.
    • Time - The time of day at which the aggregation starts.
weekly.png
  • Monthly - The aggregation runs every month:

    • Date - The day of the month on which the aggregation runs. This list only goes up to the 28th day of the month.
    • Time - The time of day at which the aggregation starts.
monthly.png

 

Creating an Entitlement Catalog for a Flat File Source


You can aggregate entitlements from a flat file source by uploading a flat file containing your entitlement data.

PREREQUISITE: Load accounts from a flat file.

Complete the following steps:

1. In the Admin interface, go to Connections > Sources.

2. Click a source that uses a flat file feed.

3. Go to Import Data > Import Entitlements.

4. Click Download to download the template.

IMPORTANT: The file you upload must use the column headings included in the entitlements file template. Column headings differ based on the type of source you're downloading entitlements from.

The most common type of flat file source is a delimited file.

If you need help filling in these columns for any source type, contact SailPoint Expert Services.

import entitlements.png

5. Either edit your existing entitlements file to include the column headings from the template or populate the entitlements data into the template.

The image on the right shows a completed file.

6. Save the file.

entitlement flat file.png

7. In the SailPoint Admin interface, click Import.

entitlements import.png

8. Select the file from step 6.

9. Click Open.

NOTE: Screenshots related to these files are examples only. Excel is not required.

select entitlements file.png
Information about the file is loaded into the Current File section. csv accepted.png

 

Editing the CSV File for a Delimited File Source


If you're uploading entitlements for your delimited file source, your CSV file must use the following headings:

  • id - the technical ID for the entitlement
  • name - the technical name for the entitlement
  • displayName - the name for the entitlement that displays in the IdentityNow UI
  • description - the description of the entitlement visible in the UI and during certifications

IMPORTANT: The use of emojis in entitlement names and descriptions is not supported – only string values are accepted.

In the Entitlements File Template, there are other column headers that are optional.

Editing Entitlements within IdentityNow


The entitlements you have loaded from a source might not be named in ways that are easily understood by your users. You can edit the names and descriptions of these entitlements so that they are easier to read and understand by Administrators who are giving users access to a specific app or for reviewers who are completing certifications. This will allow reviewers to make more informed decisions about specific entitlements, and improve the accuracy and quality of the access granted. 

IMPORTANT: The use of emojis in entitlement names and descriptions is not supported – only string values are accepted.

Having easy-to-read entitlements means that a reviewer can see, for example, that a user has access to a specific directory instead of trying to interpret a complex DN. For example, you might have an entitlement with an attribute value of cn=Acc-AP-Share,ou=Finance,ou=groups,dc=acme,dc=com. You can edit this to be displayed as "Financial Accounting Accounts Payable Share Drive".

Complete the following steps:

1. Go to Connections > Sources.

2. Click the source whose entitlements you want to edit.

3. Click Entitlements.

4. Review the list of entitlements to determine which if any need to be edited.

source entitlements.png

5. Click the Download CSV button.

Download entitlements.png

6. Open the file.

old csv.png

7. Edit the values that you want to appear differently in the user interface.

8. Save the file.

new csv.png

9. In the admin interface, click the Upload CSV button.

10. Navigate to the file and open it.

upload entitlements.png

The system displays a success message at the top of the page.

The new entitlement values display on the page.

entitlements.png

 

If you need to change the attribute used as the description for your entitlements, you can do so using the Beta API /beta/sources/{sourceId}/schemas/{schemaId}, documented at https://api.sailpoint.com/.

Viewing the Entitlements Aggregated from a Source


After you've created an entitlement catalog for a source, you can verify that entitlements uploaded correctly or see which entitlements were loaded from a source on the ​Entitlements​ tab for the source.

NOTE: Clicking Add on this page takes you to the tab from which you can create an entitlement catalog.

Complete the following steps:

1. In the Admin interface, go to Connections > Sources.

2. Click on the source you want to review.

3. Click the Entitlements tab.

Under Entitlements, you can see a count of the entitlements connected to the source along with a list of entitlements.

Use the Search Entitlements field to search for all entitlements that contain the value you enter. The number of entitlements that match the search results returned is displayed.

source entitlements.png

NOTE: The total number of entitlements displayed in the Entitlements tab does not change when you run a search.

On this page, you can also:

  • Mark an entitlement as privilegedto draw certification reviewers' attention to an entitlement that grants users visibility to particularly sensitive data or significant permissions in your organization.
  • Edit the entitlements in IdentityNow.
  • Click an entitlement to view more information.
  • Click an entitlement to view more information. In the dialog that appears, you can see the entitlement’s relationships. Entitlements from some sources might also display the type of entitlement, or the permissions they grant. 
Version history
Revision #:
13 of 13
Last update:
‎Apr 28, 2021 04:14 PM
Updated by: