User entitlements and entitlement groups

Purpose

This article explains what entitlements and entitlement groups are and how they are assigned to the different categories of users.

Concept of entitlement

The entitlement is a privilege that can be granted or revoked for a particular user (type). The entitlement enables the user to perform an action or access a specific information.

There are different types of users in Cloudentity with different sets of roles. These roles are defined in the form of entitlements and entitlement groups. For instance an admin user can perform various operations based on the entitlements that he/she has. They will not be able to perform a certain operation if they do not have the entitlement that is needed to perform that operation. Super admins and admins can grant or revoke entitlements and entitlement groups to a user.

Entitlement group

The entitlement group is a set of entitlements that are related in terms of their subject, target, or function. The reason to categorize entitlements into groups is to simplify and enhance the entitlements management.

Entitlement groups allow assigning multiple entitlements to a user similar to a user role. Take for example users that can manage IDP/SP configurations but don’t have access to any other admin functions. They can be granted a single entitlement group containing all of the required entitlements.

Entitlements management

Managing entitlements is the process of administering and configuring privileges granted to individuals, roles, and groups within an organization.

Entitlements are usually managed during design time, before an individual tries to access a protected data or execute a restricted action. Individuals' entitlements need to be provided before they are able to access the resource or perform the action.

Categories of users

Default entitlements and entitlement groups are assigned to users based on their category. We can differentiate between the following four categories of users:

  • Unregistered user

  • Registered non-admin user

  • Organization admin user

  • Super admin user.

Pre-defined entitlements and groups

Pre-defined entitlements and entitlement groups assigned to a user depend on the category of the user, as shown in the table below:

User category Entitlement Entitlement group
Unregistered user None None
Registered non-admin user None Entitlement group SELF_USER_ENTITLEMENT_GROUP includes the following entitlements: SELF_ACCEPT_USER_EULA SELF_ADD_EMAIL_OR_MOBILE SELF_CHANGE_PASSWORD SELF_CONFIRM_AUTH_SECRET SELF_FORGET_DEVICE SELF_GET_AUTH_SECRET SELF_GET_CUSTOMER SELF_GET_USER SELF_INVALIDATE_DEVICE_SESSIONS SELF_LIST_DEVICES SELF_LIST_USER_CUSTOMERS SELF_REMOVE_IDENTIFIERS SELF_RESET_AUTH_SECRET SELF_SEND_VERIFICATION_CODE SELF_SET_MFA_METHOD SELF_SET_USER_KBA_RESPONSES SELF_CHANGE_UID SELF_UPDATE_USER SELF_VERIFY_IDENTIFIER SELF_ACCESS_OPENID_CONNECT SELF_MANAGE_OAUTH_CONSENTS.
Organization admin user ADMIN_ACCESS_APPLICATIONS ADMIN_ACCESS_DASHBOARD ADMIN_MANAGE_APPLICATIONS ADMIN_MANAGE_AUTHZ_APPLICATION_POLICIES ADMIN_MANAGE_MICROSERVICES ADMIN_MANAGE_PERMISSIONS ADMIN_TRIAL_SETUP SELF_ACCESS_OPENID_CONNECT SELF_MANAGE_APPLICATIONS Entitlement group SELF_USER_ENTITLEMENT_GROUP (for the list of the entitlements included in this group, see the information on registered non-admin user entitlement groups) Entitlement group ADMIN_MANAGE_USERS contains the following entitlements: ADMIN_LIST_USERS ADMIN_GET_USER ADMIN_UPDATE_USER ADMIN_CREATE_USER ADMIN_DELETE_USER ADMIN_ACTIVATE_USER ADMIN_DEACTIVATE_USER ADMIN_SEND_ACTIVATION_MESSAGE. Entitlement group DEVELOPER_GROUP contains the following entitlements: SELF_ACCESS_OPENID_CONNECT SELF_ACCESS_APPLICATIONS.
Super admin user ADMIN_ACCESS_DASHBOARD ADMIN_ACTIVATE_CUSTOMER ADMIN_ACTIVATE_ORGANIZATION ADMIN_ADD_EMAIL_OR_MOBILE ADMIN_ADD_ENTITLEMENT_TO_GROUP ADMIN_ADD_TO_USER_CUSTOMERS ADMIN_ADD_USER_ROLE ADMIN_ALL_CUSTOMERS ADMIN_ASSIGN_IOT_DEVICE_TO_CUSTOMER ADMIN_ASSIGN_IOT_DEVICE_TO_USER ADMIN_ASSIGN_USER_TO_IOT_DEVICE ADMIN_COMPLETE_FEDERATION_AUTHENTICATION ADMIN_CREATE_CUSTOMER ADMIN_CREATE_ENTITLEMENT ADMIN_CREATE_ENTITLEMENT_GROUP ADMIN_CREATE_IDP ADMIN_CREATE_IOT_DEVICE ADMIN_CREATE_ORGANIZATION ADMIN_CREATE_SP ADMIN_DEACTIVATE_CUSTOMER ADMIN_DEACTIVATE_ORGANIZATION ADMIN_DELETE_BRUTE_FORCE_ATTEMPTS ADMIN_DELETE_BRUTE_FORCE_USER_ATTEMPTS ADMIN_DELETE_CUSTOMER ADMIN_DELETE_ENTITLEMENT ADMIN_DELETE_ENTITLEMENT_FROM_GROUP ADMIN_DELETE_ENTITLEMENT_GROUP ADMIN_DELETE_IDP ADMIN_DELETE_IOT_DEVICE ADMIN_DELETE_ORGANIZATION ADMIN_DELETE_ORGANIZATION_API_KEY ADMIN_DELETE_SP ADMIN_DELETE_USER_ROLE ADMIN_DELETE_USER_TRUSTED_DEVICES ADMIN_GET_BRUTE_FORCE_CONFIG ADMIN_GET_BRUTE_FORCE_USER_ATTEMPTS ADMIN_GET_CUSTOMER ADMIN_GET_CUSTOMER_ENTITLEMENTS ADMIN_GET_CUSTOMER_ENTITLEMENT_GROUPS ADMIN_GET_ENTITLEMENT ADMIN_GET_ENTITLEMENT_GROUP ADMIN_GET_IDP ADMIN_GET_IOT_DEVICE ADMIN_GET_ORGANIZATION ADMIN_GET_SP ADMIN_GET_USER_ENTITLEMENTS ADMIN_GET_USER_ENTITLEMENT_GROUPS ADMIN_GET_USER_ROLES ADMIN_GET_USER_VIA_HMAC ADMIN_GRANT_ANY_ENTITLEMENT ADMIN_GRANT_ANY_ENTITLEMENT_GROUP ADMIN_GRANT_ENTITLEMENT ADMIN_GRANT_ENTITLEMENT_GROUP ADMIN_GRANT_ENTITLEMENT_GROUP_TO_CUSTOMER ADMIN_GRANT_ENTITLEMENT_TO_CUSTOMER ADMIN_GRANT_USER_ENTITLEMENT_GROUP ADMIN_LIST_CUSTOMERS ADMIN_LIST_CUSTOMER_USERS ADMIN_LIST_ENTITLEMENTS ADMIN_LIST_ENTITLEMENTS_IN_GROUP ADMIN_LIST_ENTITLEMENT_GROUPS ADMIN_LIST_IDPS ADMIN_LIST_IOT_DEVICES ADMIN_LIST_SPS ADMIN_LIST_USER_CUSTOMERS ADMIN_LIST_USER_IOT_DEVICES ADMIN_MANAGE_AUTHZ_APPLICATION_POLICIES ADMIN_MANAGE_AUTHZ_POLICIES ADMIN_MANAGE_MICROSERVICES ADMIN_MANAGE_OPENID_CONNECT ADMIN_MANAGE_PERMISSIONS ADMIN_REMOVE_CUSTOMER_API_KEY ADMIN_REMOVE_FROM_USER_CUSTOMERS ADMIN_REMOVE_IDENTIFIERS ADMIN_REQUEST_RESET_MFA_CREDENTIALS ADMIN_REQUEST_RESET_PASSWORD ADMIN_REQUEST_RESET_PASSWORD_FROM_ALTERNATE ADMIN_REQUEST_VERIFICATION_EMAIL ADMIN_RESET_AUTH_SECRET ADMIN_RESET_CUSTOMER_API_KEY ADMIN_RESET_ORGANIZATION_API_KEY ADMIN_RESET_OTP_MFA_ENROLLMENT ADMIN_RESET_USER_API_KEY ADMIN_RESET_USER_EULA ADMIN_RESET_USER_KBA ADMIN_REVOKE_ANY_ENTITLEMENT ADMIN_REVOKE_ANY_ENTITLEMENT_GROUP ADMIN_REVOKE_ENTITLEMENT ADMIN_REVOKE_ENTITLEMENT_FROM_CUSTOMER ADMIN_REVOKE_ENTITLEMENT_GROUP ADMIN_REVOKE_ENTITLEMENT_GROUP_FROM_CUSTOMER ADMIN_REVOKE_USER_ENTITLEMENT_GROUP ADMIN_TRIAL_SETUP ADMIN_UNASSIGN_IOT_DEVICE_FROM_CUSTOMER ADMIN_UNASSIGN_IOT_DEVICE_FROM_USER ADMIN_UNASSIGN_USER_FROM_IOT_DEVICE ADMIN_UPDATE_CUSTOMER ADMIN_UPDATE_ENTITLEMENT ADMIN_UPDATE_ENTITLEMENT_GROUP ADMIN_UPDATE_IDP ADMIN_UPDATE_IOT_DEVICE ADMIN_UPDATE_ORGANIZATION ADMIN_UPDATE_SP ADMIN_UPDATE_USER_CUSTOMERS ADMIN_UPDATE_USER_ROLES ADMIN_VALIDATE_API_KEY ADMIN_VALIDATE_ENTITLEMENT CARD_MANAGEMENT LIST_CARDS SELF_ACCEPT_USER_EULA SELF_ACCESS_OPENID_CONNECT SELF_ADD_EMAIL_OR_MOBILE SELF_CHANGE_PASSWORD SELF_CHANGE_UID SELF_CONFIRM_AUTH_SECRET SELF_CONFIRM_PASSWORD_RESET SELF_CONFIRM_VERIFICATION_EMAIL SELF_FORGET_DEVICE SELF_GET_AUTH_SECRET SELF_GET_CUSTOMER SELF_GET_CUSTOMER_IN_SESSION SELF_GET_IOT_DEVICES SELF_GET_USER SELF_INVALIDATE_DEVICE_SESSIONS SELF_LIST_DEVICES SELF_LIST_USER_CUSTOMERS SELF_REMOVE_IDENTIFIERS SELF_REQUEST_PASSWORD_RESET SELF_REQUEST_VERIFICATION_EMAIL SELF_RESET_AUTH_SECRET SELF_SEND_VERIFICATION_CODE SELF_SET_MFA_METHOD SELF_SET_USER_KBA_RESPONSES SELF_UPDATE_USER SELF_UPDATE_USER_CUSTOMER_IN_RECORD SELF_UPDATE_USER_CUSTOMER_IN_SESSION SELF_VERIFY_IDENTIFIER Entitlement group ADMIN_MANAGE_APPLICATIONS_GROUP contains the following entitlements: ADMIN_ACCESS_APPLICATIONS ADMIN_MANAGE_APPLICATIONS SELF_MANAGE_APPLICATIONS SELF_ACCESS_APPLICATIONS. Entitlement group ADMIN_MANAGE_USERS contains the following entitlements: ADMIN_LIST_USERS ADMIN_GET_USER ADMIN_UPDATE_USER ADMIN_CREATE_USER ADMIN_DELETE_USER ADMIN_ACTIVATE_USER ADMIN_DEACTIVATE_USER ADMIN_SEND_ACTIVATION_MESSAGE.