PingOne Advanced Identity Cloud

Manage entitlement lifecycle management

Entitlement lifecycle management (LCM) provides a form of delegated administration, allowing application owners, entitlement owners, and end users with the scope permissions to manage entitlements in the applications available to them.

A key capability of Entitlement LCM is metadata management. Users need clear and accurate entitlement information when making requests or assigning permissions. Entitlement LCM enables organizations to maintain up-to-date entitlement attributes, preventing outdated or stale metadata from affecting decision-making.

Entitlement LCM also enforces policies by requiring approvals before entitlement changes take effect. This prevents users from granting excessive permissions without oversight, ensuring that access rights align with organizational policies.

Important points about Entitlement LCM

  • Personas involved related to Entitlement LCM:

    • Administrator: A tenant administrator who has the rights to manage the system including applications and entitlements.

    • Application owner: A user listed as the owner of an application in Advanced Identity Cloud.

    • Entitlement owner: A user listed as the owner of the entitlement in Advanced Identity Cloud.

    • End user: An end user who uses Identity Governance. These users can be granted permissions to view entitlements, view users who have the entitlement (known as grants), and modify entitlements.

  • Permissions are granted a certain list of privileges to use Entitlement LCM:

    Action Admin Application Owner Entitlement Owner End user

    View entitlement

    Yes

    Yes

    Yes

    If scoped

    View users who have entitlement

    Yes

    Yes

    Yes

    If scoped

    Create entitlement

    Yes

    Yes

    No

    If scoped

    Modify entitlement

    Yes

    Yes

    Yes

    If scoped

  • Scope permissions have been enhanced to grant users a specific subset of permissions based on the scoping rules defined.

    Permission Applies to Description

    View Applications

    Applications

    Allows the user to view matching applications. This scope is implicit when Create Entitlements is selected.

    Create Entitlements

    Applications

    Allows the user to create entitlements for the matching applications.

    View Entitlements

    Entitlements

    Allows the user to view matching entitlements. This scope is implicit when Modify Entitlements or View Grants is selected.

    Modify Entitlements

    Entitlements

    Allows the user to modify the matching entitlements.

    View Grants

    Entitlements

    Allows the user to view the other users who are assigned the entitlement.

  • Identity Governance API: Download the latest Identity Governance API YAML file. New endpoints support Entitlements LCM:

    • /iga/governance/application

    • /iga/governance/entitlement

    • /iga/governance/user/{userId}/privileges

  • New glossary attributes: There are two new out-of-the-box glossary schema attributes available for entitlements: parentEntitlement, entitlementType. These glossary schema attributes do not have any specific functional use within Identity Governance but are available for use at the customer’s discretion.

    Click for an example 
    {
        "displayName": "Parent Entitlement",
        "name": "parentEntitlement",
        "description": "Entitlement that is the direct parent of this entitlement",
        "objectType": "/openidm/managed/assignment",
        "type": "string"
    },
    {
        "displayName": "Entitlement Type",
        "name": "entitlementType",
        "description": "Type of entitlement",
        "objectType": "/openidm/managed/assignment",
        "type": "string"
    }
}

  • New workflows: Identity Governance introduces two new out-of-the-box workflows: Create Entitlement and Modify Entitlement.

    These workflows can’t be changed, but you can create a copy to customize them for specific use cases.

Enable Entitlement LCM

Tenant administrators must enable Entitlement LCM to activate the feature for their end users:

  1. In the Advanced Identity Cloud admin console, go to Governance > Requests.

  2. On the Requests page, click the Settings tab.

  3. In the Governance LCM section, click Activate.

  4. In the Governance LCM modal, read what activating this feature entails, and click Next.

  5. In the Governance LCM modal, click Entitlement LCM, and then click Activate. The governance LCM is now active on your tenant.

    Enable governance LCM on the Requests page.

Adds scopes

Scopes provide the permissions to let end users to take action only on applications and entitlements to which they are permitted. Tenant or governance administrators assign these scopes to end users.

For example, when you assign a scope for an application with the Create Entitlements permission, the end user can create entitlements for the application in that scope. However, this doesn’t mean they can view entitlements. For that, they must have the View Entitlements permission.

The following rules apply to scope permission:

  • If end users have scope permissions for view entitlements, they can view those entitlements regardless of the application permissions.

  • If end users have modify permissions, they can modify the entitlements they can see.

  • If end users have view grant permissions, they can view the users of the entitlements you can see.

To add scopes:

  1. Sign on to the Advanced Identity Cloud admin console as a tenant administrator.

  2. In the Advanced Identity Cloud admin console, go to Governance > Scopes.

  3. Click add New Scopes.

  4. On the New Scope page, enter the following in the Details section:

    1. Name: Enter the name for the scope.

    2. Description: Enter a description for the scope.

    3. Click Next.

      Scope details page displaying name and description

  5. On the Applies to page, define which users should be subject to this scope. Decide if you want to grant application or entitlement permissions to the end user.

    1. Select if the All or Any condition must be met.

    2. Select a property for this scoping rule. For example, select userName.

    3. Select an operator for the scoping rule. For example, select contains.

    4. Enter an entitlement.

    5. If you want to add another rule, click add and repeat the steps.

    6. Click Next.

      Scope `applies to` page defining the user to which the scope applies.

  6. On the Access page, enter the following depending if you are granting applications or entitlement permissions:

    • For application permissions:

      1. Select the Applications checkbox.

      2. Click All Applications or Applications matching a filter. Click Applications matching a filter.

      3. Select if All or Any condition must be met.

      4. Select a property for this scoping rule. For example, select name.

      5. Select an operator for the scoping rule. For example, select is.

      6. Enter an application.

      7. If you want to add another rule, click add and repeat the steps.

      8. Click Create Entitlements.

        The View Applications scope permission is also included.

      9. Click Save.

        The end user now has the permission to create new entitlements for the matching application.

        Scope access displaying the filters for the application.

    • For entitlement permissions:

      1. Select the Entitlements checkbox.

      2. If you click Applications matching a filter, click All Entitlements or Entitlements matching a filter.

      3. Select if the All or Any condition must be met.

      4. Select a property for this scoping rule. For example, select userName.

      5. Select an operator for the scoping rule. For example, select is.

      6. Enter a user.

      7. If you want to add another rule, click add and repeat the steps.

      8. Click Modify Entitlements.

        The View Entitlements scope permission is also included.

      9. Click View Grants to allow the end user to view who has the entitlement.

      10. Click Save.

        Scope access displaying the filters for the entitlement.

Application tasks

End users with application permissions on entitlements can only work with entitlements specific to the application. They can:

View entitlements in an application

  1. In the Advanced Identity Cloud end-user UI, sign on as your test application owner: veronica.achorn.

  2. Go to Administer > Entitlements. All entitlements specific to the selected application are displayed.

    View entitlements for application owners.

  3. From here, the end user can do:

    • View all entitlements specific to the application.

    • View the details, object properties, and users of a specific entitlement.

    • Create an entitlement.

    • Modify an entitlement.

Add a new entitlement to an application

  1. In the Advanced Identity Cloud end-user UI, sign on as your test user who has application permissions.

  2. Go to Administer > Entitlement. The application’s entitlements are accessible to the end user.

  3. On the Entitlements page, click add New Entitlement.

  4. In the New Entitlement modal:

    1. Click Application and click the application available to the test user. You should see only one available option.

    2. Click Object Type and select an object type for the new entitlement.

    3. Click Next.

  5. In the Entitlement Details modal:

    1. Enter or select the fields required for your entitlement. Fields can differ based on how you configured your glossary items. For example:

      • Description: Enter a general description of the entitlement.

      • Entitlement Owner: Type a user to add as an entitlement owner.

      • Entitlement Type: Enter the type of entitlement.

      • Parent Entitlement: Enter any parent entitlement if any.

      • Requestable: Click to make the entitlement requestable.

    2. Click Submit.

      The new entitlement appears in the list of entitlements specific to the application.

Modify entitlement details in an application

  1. In the Advanced Identity Cloud end-user UI, sign on as your test user who has application permissions.

  2. Go to Administer > Entitlements. The application’s entitlements are accessible to the end user.

  3. Click an entitlement.

  4. Modify any field including Entitlement Owner and click Save.

    A change request is entered in the system and must be approved by the user specified in the workflow. For example: the Modify Entitlement workflow specifies that the entitlement approves any entitlement change requests.

    View detailed information on an entitlement.

End user tasks

After administrators grant end users the required scope permissions to view and act on any applications and entitlements, the end users can take action on the permitted entitlements.

End user UI

  1. In the Advanced Identity Cloud end-user UI, sign on as your test end user: Abby Dabby.

  2. Go to Administer > Entitlements. The entitlement is accessible to the end user.

    governance lcm view entitlement enduser

  3. From here, the end user can do the following depending on their scope permissions:

    • View the entitlement details.

    • View users who have the entitlement.

    • Modify the entitlement: If the end user makes a change to the entitlement, Identity Governance generates a request that awaits review and approval by the designated approver. Tenant administrators can designate the approver within the Modify Entitlement workflow.