User entitlements and entitlement groups
This article explains what entitlements and entitlement groups are and how they are assigned to the different categories of users in Cloud Identity Plane.
Concept of entitlement
The entitlement is a privilege that can be granted or revoked for a particular user (type). The entitlement enables the user to perform an action or access a specific information.
There are different types of users in Cloud Identity Plane with different sets of roles. These roles are defined in the form of entitlements and entitlement groups. For instance an admin user can perform various operations based on the entitlements that he/she has. They will not be able to perform a certain operation if they do not have the entitlement that is needed to perform that operation. Super admins and admins can grant or revoke entitlements and entitlement groups to a user.
Entitlement group
The entitlement group is a set of entitlements that are related in terms of their subject, target, or function. The reason to categorize entitlements into groups is to simplify and enhance the entitlements management.
Entitlement groups allow assigning multiple entitlements to a user similar to a user role. Take for example users that can manage IDP/SP configurations but don’t have access to any other admin functions. They can be granted a single entitlement group containing all of the required entitlements.
Entitlements management
Managing entitlements is the process of administering and configuring privileges granted to individuals, roles, and groups within an organization.
Entitlements are usually managed during design time, before an individual tries to access a protected data or execute a restricted action. Individuals' entitlements need to be provided before they are able to access the resource or perform the action.
Categories of users
Default entitlements and entitlement groups are assigned to users based on their category. We can differentiate between the following four categories of users:
-
Unregistered user.
-
Registered non-admin user.
-
Organization admin user.
-
Super admin user.
Pre-defined entitlements and groups
Pre-defined entitlements and entitlement groups assigned to a user depend on the category of the user, as shown in the table below:
| User category | Entitlement groups |
|---|---|
| Unregistered user | None |
| Registered non-admin user | SELF_USER_ENTITLEMENT_GROUP |
| Organization admin user | SELF_USER_ENTITLEMENT_GROUP, ADMIN_MANAGE_USERS |
| Super admin user | All |
CIP contains the following entitlement groups by default:
ADMIN_MANAGE_USERS
| Name | Description |
|---|---|
| ADMIN_ACCESS_DASHBOARD | Admin entitlement to access dashboard |
| ADMIN_ACTIVATE_USER | Admin entitlement to activate a user |
| ADMIN_ADD_EMAIL_OR_MOBILE | Admin entitlement to add unverified email or mobile to a user |
| ADMIN_CREATE_USER | Admin entitlement to create user |
| ADMIN_DEACTIVATE_USER | Admin entitlement to deactivate a user |
| ADMIN_DELETE_BRUTE_FORCE_USER_ATTEMPTS | Admin entitlement to manage all user failed login attempts |
| ADMIN_DELETE_USER | Admin entitlement to delete a user |
| ADMIN_DELETE_USER_TRUSTED_DEVICES | Admin entitlement to delete all trusted devices of a user |
| ADMIN_FORCE_PASSWORD_RESET | Admin entitlement to force user to reset password |
| ADMIN_GET_BRUTE_FORCE_CONFIG | Admin entitlement to get brute force config |
| ADMIN_GET_BRUTE_FORCE_USER_ATTEMPTS | Admin entitlement to get failed login attempts |
| ADMIN_GET_ENTITLEMENT | Admin entitlement to get an entitlement |
| ADMIN_GET_ENTITLEMENT_GROUP | Admin entitlement to get an entitlement group |
| ADMIN_GET_USER | Admin entitlement to get any user attributes |
| ADMIN_GET_USER_ENTITLEMENT_GROUPS | Admin entitlement to get the current entitlement groups of a user |
| ADMIN_GET_USER_ENTITLEMENTS | Admin entitlement to get user entitlements |
| ADMIN_GRANT_ENTITLEMENT | Admin entitlement to grant an entitlement that he has himself |
| ADMIN_GRANT_ENTITLEMENT_GROUP | Admin entitlement to grant an entitlement group that he has himself |
| ADMIN_GRANT_PERMISSION | Admin entitlement to grant a permission |
| ADMIN_GRANT_ROLE | Admin entitlement to grant a role |
| ADMIN_INVALIDATE_USER_SESSIONS | Admin entitlement to invalidate all sessions of a user |
| ADMIN_LIST_ENTITLEMENT_GROUPS | Admin entitlement to list entitlement groups |
| ADMIN_LIST_ENTITLEMENTS | Admin entitlement to list entitlements |
| ADMIN_LIST_ENTITLEMENTS_IN_GROUP | Admin entitlement to list the entitlements in an entitlement group |
| ADMIN_LIST_PERMISSIONS | Admin entitlement to list permissions |
| ADMIN_LIST_ROLES | Admin entitlement to list roles |
| ADMIN_LIST_USER_PERMISSION_GRANTS | Admin entitlement to list user permission grants |
| ADMIN_LIST_USER_ROLE_GRANTS | Admin entitlement to list user role grants |
| ADMIN_LIST_USERS | Admin entitlement to list users |
| ADMIN_MANAGE_USER_PERMISSION_GRANTS | Admin entitlement to manage user permission grants |
| ADMIN_MANAGE_USER_ROLE_GRANTS | Admin entitlement to manage user role grants |
| ADMIN_REMOVE_IDENTIFIERS | Admin entitlement to remove verified identifiers of a user |
| ADMIN_REQUEST_RESET_MFA_CREDENTIALS | Admin user entitlement to request reset MFA credentials of a user |
| ADMIN_REQUEST_RESET_PASSWORD | Admin user entitlement to request reset password |
| ADMIN_REQUEST_RESET_PASSWORD_FROM_ALTERNATE | Admin user entitlement to request reset password from alternate email |
| ADMIN_RESET_AUTH_SECRET | Admin entitlement to reset the auth secret of a user |
| ADMIN_RESET_OTP_MFA_ENROLLMENT | Admin entitlement to reset user’s OTP MFA enrollment |
| ADMIN_RESET_USER_API_KEY | Admin entitlement to reset a user API key |
| ADMIN_RESET_USER_EULA | Admin entitlement to reset user acceptance of an end-user license agreement |
| ADMIN_RESET_USER_KBA | Admin entitlement to reset the KBA responses of a user |
| ADMIN_REVOKE_ENTITLEMENT | Admin entitlement to revoke an entitlement that he has himself |
| ADMIN_REVOKE_ENTITLEMENT_GROUP | Admin entitlement to revoke an entitlement group that he has himself |
| ADMIN_REVOKE_PERMISSION | Admin entitlement to revoke a permission |
| ADMIN_REVOKE_ROLE | Admin entitlement to revoke a role |
| ADMIN_SEND_ACTIVATION_MESSAGE | Admin entitlement to send activation message to user |
| ADMIN_SEND_NOTIFICATION_MESSAGE | Admin entitlement to send notification messages to users |
| ADMIN_UPDATE_USER | Admin entitlement to update any user attributes |
CUSTOMER_ADMIN_ENTITLEMENT_GROUP
| Name | Description |
|---|---|
| ADMIN_GET_CUSTOMER | Admin entitlement to view a customer information |
| ADMIN_GET_CUSTOMER_ENTITLEMENT_GROUPS | Admin entitlement to get the current entitlement groups of a customer |
| ADMIN_GET_CUSTOMER_ENTITLEMENTS | Admin entitlement to get the current entitlements of a customer |
| ADMIN_GRANT_ENTITLEMENT_GROUP_TO_CUSTOMER | Admin entitlement to grant an entitlement group to a customer |
| ADMIN_GRANT_ENTITLEMENT_TO_CUSTOMER | Admin entitlement to grant an entitlement to a customer |
| ADMIN_LIST_CUSTOMER_PERMISSION_GRANTS | Admin entitlement to list customer permission grants |
| ADMIN_LIST_CUSTOMER_ROLE_GRANTS | Admin entitlement to list customer role grants |
| ADMIN_LIST_CUSTOMERS | Admin entitlement to ADMIN_LIST_CUSTOMERS |
| ADMIN_MANAGE_AUTHORIZATION_CREDENTIALS | Admin entitlement to manage Authorization credentials (ACP) |
| ADMIN_MANAGE_CUSTOMER_PERMISSION_GRANTS | Admin entitlement to manage customer permission grants |
| ADMIN_MANAGE_CUSTOMER_ROLE_GRANTS | Admin entitlement to manage customer role grants |
| ADMIN_MANAGE_PASSWORD_POLICY | Admin entitlement to manage password policy |
| ADMIN_REMOVE_CUSTOMER_API_KEY | Admin entitlement to remove a customer API key |
| ADMIN_RESET_CUSTOMER_API_KEY | Admin entitlement to reset a customer API key |
| ADMIN_REVOKE_ENTITLEMENT_FROM_CUSTOMER | Admin entitlement to revoke an entitlement from a customer |
| ADMIN_REVOKE_ENTITLEMENT_GROUP_FROM_CUSTOMER | Admin entitlement to revoke an entitlement group from a customer |
| ADMIN_SELF_ACCEPT_ORGANIZATION_EULA | Admin entitlement to self accept organization eula |
| ADMIN_UPDATE_CUSTOMER | Admin entitlement to update customer information |
ENTITLEMENT_MANAGEMENT_ENTITLEMENT_GROUP
| Name | Description |
|---|---|
| ADMIN_ADD_ENTITLEMENT_TO_GROUP | Admin entitlement to add entitlement to group |
| ADMIN_CREATE_ENTITLEMENT | Admin entitlement to create an entitlement |
| ADMIN_CREATE_ENTITLEMENT_GROUP | Admin entitlement to create an entitlement group |
| ADMIN_DELETE_ENTITLEMENT | Admin entitlement to delete an entitlement |
| ADMIN_DELETE_ENTITLEMENT_FROM_GROUP | Admin entitlement to delete entitlement from group |
| ADMIN_DELETE_ENTITLEMENT_GROUP | Admin entitlement to delete an entitlement group |
| ADMIN_UPDATE_ENTITLEMENT | Admin entitlement to update an entitlement |
| ADMIN_UPDATE_ENTITLEMENT_GROUP | Admin entitlement to update an entitlement group |
FEDERATED_USER_ENTITLEMENT_GROUP
| Name | Description |
|---|---|
| SELF_ACCEPT_USER_EULA | User entitlement to accept an end-user license agreement |
| SELF_CONFIRM_AUTH_SECRET | User entitlement to confirm own auth secret |
| SELF_GET_AUTH_SECRET | User entitlement to view own auth secret |
| SELF_GET_CUSTOMER | User entitlement to view information about own customer |
| SELF_GET_MFA_SETUP | User entitlement to get own MFA setup details |
| SELF_GET_USER | User entitlement to view own information |
| SELF_LIST_USER_CUSTOMERS | User entitlement to view details of customers from own customers list |
| SELF_RESET_AUTH_SECRET | User entitlement to reset own auth secret |
| SELF_RESET_OTP_MFA_ENROLLMENT | User entitlement to reset own OTP MFA enrollment |
| SELF_RESET_USER_KBA | User entitlement to reset own KBA responses |
| SELF_SET_MFA_METHOD | User entitlement to set own MFA method |
| SELF_SET_USER_KBA_RESPONSES | User entitlement to set their KBA responses |
| SELF_UPDATE_USER | User entitlement to update own information |
FEDERATION_MANAGEMENT_ENTITLEMENT_GROUP
| Name | Description |
|---|---|
| ADMIN_ACCESS_DASHBOARD | Admin entitlement to access dashboard |
| ADMIN_CREATE_IDP | Admin entitlement to create IDP configuration |
| ADMIN_CREATE_SP | Admin entitlement to create SP configuration |
| ADMIN_DELETE_IDP | Admin entitlement to delete IDP configuration |
| ADMIN_DELETE_SP | Admin entitlement to delete SP configuration |
| ADMIN_GET_IDP | Admin entitlement to get IDP configuration |
| ADMIN_GET_SP | Admin entitlement to get SP configuration |
| ADMIN_LIST_IDPS | Admin entitlement to list IDP configurations |
| ADMIN_LIST_SPS | Admin entitlement to list SP configurations |
| ADMIN_UPDATE_IDP | Admin entitlement to update IDP configuration |
| ADMIN_UPDATE_SP | Admin entitlement to update SP configuration |
MULTI_CUSTOMER_ADMIN_ENTITLEMENT_GROUP
| Name | Description |
|---|---|
| ADMIN_ACTIVATE_CUSTOMER | Admin entitlement to activate a customer |
| ADMIN_ADD_TO_USER_CUSTOMERS | Admin entitlement to add a customer to a user customers list |
| ADMIN_CREATE_CUSTOMER | Admin entitlement to create a customer |
| ADMIN_DEACTIVATE_CUSTOMER | Admin entitlement to deactivate a customer |
| ADMIN_DELETE_CUSTOMER | Admin entitlement to delete a customer |
| ADMIN_LIST_USER_CUSTOMERS | Admin entitlement to list the customers belonging to a user |
| ADMIN_MANAGE_CUSTOMERS_EULA_REVISION | Admin entitlement to manage customers eula revision |
| ADMIN_REMOVE_FROM_USER_CUSTOMERS | Admin entitlement to remove a customer from a user customers list |
| ADMIN_SEND_CUSTOMERS_NOTIFICATION_MESSAGE | Admin entitlement to send notification messages to users of multiple customers |
| ADMIN_UPDATE_USER_CUSTOMERS | Admin entitlement to update the customers list belonging a user |
| SELF_UPDATE_USER_CUSTOMER_IN_SESSION | Admin entitlement to update which customer an authenticated user session currently belongs to |
SELF_USER_ENTITLEMENT_GROUP
| Name | Description |
|---|---|
| SELF_ACCEPT_USER_EULA | User entitlement to accept an end-user license agreement |
| SELF_ADD_EMAIL_OR_MOBILE | User entitlement to add unverified email or mobile |
| SELF_CHANGE_PASSWORD | User entitlement to change password |
| SELF_CHANGE_UID | User entitlement to update their UID |
| SELF_CONFIRM_AUTH_SECRET | User entitlement to confirm own auth secret |
| SELF_GET_AUTH_SECRET | User entitlement to view own auth secret |
| SELF_GET_CUSTOMER | User entitlement to view information about own customer |
| SELF_GET_MFA_SETUP | User entitlement to get own MFA setup details |
| SELF_GET_USER | User entitlement to view own information |
| SELF_INVALIDATE_DEVICE_SESSIONS | User entitlement to invalidate devices sessions |
| SELF_LIST_DEVICES | User entitlement to list devices used for login |
| SELF_LIST_USER_CUSTOMERS | User entitlement to view details of customers from own customers list |
| SELF_REMOVE_IDENTIFIERS | User entitlement to remove own verified identifiers |
| SELF_RESET_AUTH_SECRET | User entitlement to reset own auth secret |
| SELF_RESET_OTP_MFA_ENROLLMENT | User entitlement to reset own OTP MFA enrollment |
| SELF_RESET_USER_KBA | User entitlement to reset own KBA responses |
| SELF_SEND_VERIFICATION_CODE | User entitlement to send a verification code to an identifier |
| SELF_SET_MFA_METHOD | User entitlement to set own MFA method |
| SELF_SET_USER_KBA_RESPONSES | User entitlement to set their KBA responses |
| SELF_UPDATE_USER | User entitlement to update own information |
| SELF_VERIFY_IDENTIFIER | User entitlement to verify their own identifier |