Create an Entitlement
An Entitlement is an abstracted representation of one or more levels of access in one or more systems. Entitlements are managed within RapidIdentity. An Entitlement assignment to an Identity should result in RapidIdentity updating that system to grant the appropriate access to the recipient. An Entitlement can represent an Account, Memberships (group or roles), and/or Permissions in a local system.
Entitlements can include various configurations that can help define its function and the person or groups, along with specific attributes who can request them. There are prerequisites that need to be defined in order to create entitlements.
Prerequisites
A Workflow is required for users to create and request an Entitlement. As an example, an active Request Time Off workflow can feed into an Entitlement and would need to be created before the entitlement can be created or requested. Reference the section Create a Workflow for more information on workflows.
Steps
As an Administrator, log in to RapidIdentity via a web browser:
https://<your-host-name>/idauto-apps.Select the Requests module from the module selector.
Select Entitlements from the left navigation menu, followed by Catalog.
Select the Add Entitlement button located in the upper right portion of the window to create an entitlement. This option is only available to an Administrator.
The General tab will appear in the Add Entitlement window.
Give the entitlement a Name and Description.
Click the Icon button to choose an icon from the icon library or click Upload Icon to upload a custom icon.
Note
You will not be able to save the Entitlement until an icon has been assigned.
By default, you will automatically be listed as an owner of this entitlement. Optionally, add additional owners that shared administrative rights to the entitlement.
Choose a Data Classification from the drop-down.
If no data classifications are present, select Create New and provide a Name and Description. You can allow Level and Color to default.
The Data Classification is the first level of access for the entitlement, pertaining to any restrictions from users or campaigns. Select from the following options for Data Classification:
Public to have no restrictions on who can request access
Private to restrict access from all users outside of the owner
Select a Group to allow access to the selected group
Select Request Access to require a user to request the entitlement for the entitlement
The Level is a selectable negative or positive numerical value that ranks the order in which the entitlement will be listed.
Optionally, set the Expiration Type, based on Time or Campaign access. Depending upon the selection, different sub-menus will display.
Time-based: Select a time frame for the entitlement availability.
Note
If the entitlement is set as time-based, there will be an additional option "Allow entitlement to be extended" available.
Campaign-based: Includes a selector for the month, day, and length in months for validity.
Choose the appropriate Binding from the dropdown. Binding is assigning the entitlement to how many instances per user by declaration.
(SINGLE) One instance per user
(MULTI_BOUND) Multiple instances per user
(MULTI_UNBOUND) Multiple instances per user, non-binding
(COMPOSITE) One instance per user that contains multiple binding components
Note
Setting up composite entitlements is not fully supported in the new UI at this time.
Set Status to Active.
Note
This may be performed later if needed, but note the location of this setting to make the entitlement active. The entitlement must be active to display in the Catalog.
Optionally, select the desired Access Control to be either Attribute or Role based to determine who can see this entitlement in their catalog. Select None for general availability.
When selecting Attribute or Role based, an additional field will display to enter the assigned values.
The Priority of the entitlement can be changed or left at the default
-1, which gives it no special ordering.Select the Disable Certification/Extension checkbox to disallow use of the
CertifyorExtendActions.Select the May Not Be Requested in UI checkbox to hide the entitlement from view in the Catalog.
Choose a Category from the Categories drop-down. If no Categories are present, select Create New and provide a Name and Description, select the proper Access Control option, and set the Status to Active.
Choose the appropriate Workflow to use for any
Grantactions from the Grant Workflow dropdown.
If there is a relevant form in the Workflow chosen, select it in the Grant Workflow Form drop-down.
Choose a Workflow to use for any
Revokeactions.If there is a relevant form in the Workflow chosen, select it in the Revoke Workflow Form drop-down.
Note
If the "Allow Entitlement To Be Extended" is enabled on a time based entitlement, additional drop-downs to select Extend workflows and extend workflow forms will be presented. .
Click the Relationships tab to check if there are any configured conflicts or dependencies.
Example
If Entitlement A is a dependency of Entitlement B, then you can only request Entitlement B if you have or are in the process of obtaining Entitlement A. In this situation, you would edit Entitlement B and add Entitlement A to its list of dependencies.
Drag any general entitlements into the dependencies column to create a new dependency.
Click Save to save the entitlement.
The Entitlement will now be listed in the Catalog workspace and available for an end user to request access.