User entitlements and entitlement groups

This article explains what entitlements and entitlement groups are and how they are assigned to the different categories of users in Cloud Identity Plane.

Concept of entitlement

The entitlement is a privilege that can be granted or revoked for a particular user (type). The entitlement enables the user to perform an action or access a specific information.

There are different types of users in Cloud Identity Plane with different sets of roles. These roles are defined in the form of entitlements and entitlement groups. For instance an admin user can perform various operations based on the entitlements that he/she has. They will not be able to perform a certain operation if they do not have the entitlement that is needed to perform that operation. Super admins and admins can grant or revoke entitlements and entitlement groups to a user.

Entitlement group

The entitlement group is a set of entitlements that are related in terms of their subject, target, or function. The reason to categorize entitlements into groups is to simplify and enhance the entitlements management.

Entitlement groups allow assigning multiple entitlements to a user similar to a user role. Take for example users that can manage IDP/SP configurations but don’t have access to any other admin functions. They can be granted a single entitlement group containing all of the required entitlements.

Entitlements management

Managing entitlements is the process of administering and configuring privileges granted to individuals, roles, and groups within an organization.

Entitlements are usually managed during design time, before an individual tries to access a protected data or execute a restricted action. Individuals' entitlements need to be provided before they are able to access the resource or perform the action.

Categories of users

Default entitlements and entitlement groups are assigned to users based on their category. We can differentiate between the following four categories of users:

  • Unregistered user

  • Registered non-admin user

  • Organization admin user

  • Super admin user.

Pre-defined entitlements and groups

Pre-defined entitlements and entitlement groups assigned to a user depend on the category of the user, as shown in the table below:

User category Entitlement groups
Unregistered user None
Registered non-admin user SELF_USER_ENTITLEMENT_GROUP
Organization admin user SELF_USER_ENTITLEMENT_GROUP, ADMIN_MANAGE_USERS
Super admin user All

CIP contains the following entitlement groups by default:

ADMIN_MANAGE_USERS

Name Description
ADMIN_ACCESS_DASHBOARD Admin entitlement to access dashboard
ADMIN_ACTIVATE_USER Admin entitlement to activate a user
ADMIN_ADD_EMAIL_OR_MOBILE Admin entitlement to add unverified email or mobile to a user
ADMIN_CREATE_USER Admin entitlement to create user
ADMIN_DEACTIVATE_USER Admin entitlement to deactivate a user
ADMIN_DELETE_BRUTE_FORCE_USER_ATTEMPTS Admin entitlement to manage all user failed login attempts
ADMIN_DELETE_USER Admin entitlement to delete a user
ADMIN_DELETE_USER_TRUSTED_DEVICES Admin entitlement to delete all trusted devices of a user
ADMIN_FORCE_PASSWORD_RESET Admin entitlement to force user to reset password
ADMIN_GET_BRUTE_FORCE_CONFIG Admin entitlement to get brute force config
ADMIN_GET_BRUTE_FORCE_USER_ATTEMPTS Admin entitlement to get failed login attempts
ADMIN_GET_ENTITLEMENT Admin entitlement to get an entitlement
ADMIN_GET_ENTITLEMENT_GROUP Admin entitlement to get an entitlement group
ADMIN_GET_USER Admin entitlement to get any user attributes
ADMIN_GET_USER_ENTITLEMENT_GROUPS Admin entitlement to get the current entitlement groups of a user
ADMIN_GET_USER_ENTITLEMENTS Admin entitlement to get user entitlements
ADMIN_GRANT_ENTITLEMENT Admin entitlement to grant an entitlement that he has himself
ADMIN_GRANT_ENTITLEMENT_GROUP Admin entitlement to grant an entitlement group that he has himself
ADMIN_GRANT_PERMISSION Admin entitlement to grant a permission
ADMIN_GRANT_ROLE Admin entitlement to grant a role
ADMIN_INVALIDATE_USER_SESSIONS Admin entitlement to invalidate all sessions of a user
ADMIN_LIST_ENTITLEMENT_GROUPS Admin entitlement to list entitlement groups
ADMIN_LIST_ENTITLEMENTS Admin entitlement to list entitlements
ADMIN_LIST_ENTITLEMENTS_IN_GROUP Admin entitlement to list the entitlements in an entitlement group
ADMIN_LIST_PERMISSIONS Admin entitlement to list permissions
ADMIN_LIST_ROLES Admin entitlement to list roles
ADMIN_LIST_USER_PERMISSION_GRANTS Admin entitlement to list user permission grants
ADMIN_LIST_USER_ROLE_GRANTS Admin entitlement to list user role grants
ADMIN_LIST_USERS Admin entitlement to list users
ADMIN_MANAGE_USER_PERMISSION_GRANTS Admin entitlement to manage user permission grants
ADMIN_MANAGE_USER_ROLE_GRANTS Admin entitlement to manage user role grants
ADMIN_REMOVE_IDENTIFIERS Admin entitlement to remove verified identifiers of a user
ADMIN_REQUEST_RESET_MFA_CREDENTIALS Admin user entitlement to request reset MFA credentials of a user
ADMIN_REQUEST_RESET_PASSWORD Admin user entitlement to request reset password
ADMIN_REQUEST_RESET_PASSWORD_FROM_ALTERNATE Admin user entitlement to request reset password from alternate email
ADMIN_RESET_AUTH_SECRET Admin entitlement to reset the auth secret of a user
ADMIN_RESET_OTP_MFA_ENROLLMENT Admin entitlement to reset user’s OTP MFA enrollment
ADMIN_RESET_USER_API_KEY Admin entitlement to reset a user API key
ADMIN_RESET_USER_EULA Admin entitlement to reset user acceptance of an end-user license agreement
ADMIN_RESET_USER_KBA Admin entitlement to reset the KBA responses of a user
ADMIN_REVOKE_ENTITLEMENT Admin entitlement to revoke an entitlement that he has himself
ADMIN_REVOKE_ENTITLEMENT_GROUP Admin entitlement to revoke an entitlement group that he has himself
ADMIN_REVOKE_PERMISSION Admin entitlement to revoke a permission
ADMIN_REVOKE_ROLE Admin entitlement to revoke a role
ADMIN_SEND_ACTIVATION_MESSAGE Admin entitlement to send activation message to user
ADMIN_SEND_NOTIFICATION_MESSAGE Admin entitlement to send notification messages to users
ADMIN_UPDATE_USER Admin entitlement to update any user attributes

CUSTOMER_ADMIN_ENTITLEMENT_GROUP

Name Description
ADMIN_GET_CUSTOMER Admin entitlement to view a customer information
ADMIN_GET_CUSTOMER_ENTITLEMENT_GROUPS Admin entitlement to get the current entitlement groups of a customer
ADMIN_GET_CUSTOMER_ENTITLEMENTS Admin entitlement to get the current entitlements of a customer
ADMIN_GRANT_ENTITLEMENT_GROUP_TO_CUSTOMER Admin entitlement to grant an entitlement group to a customer
ADMIN_GRANT_ENTITLEMENT_TO_CUSTOMER Admin entitlement to grant an entitlement to a customer
ADMIN_LIST_CUSTOMER_PERMISSION_GRANTS Admin entitlement to list customer permission grants
ADMIN_LIST_CUSTOMER_ROLE_GRANTS Admin entitlement to list customer role grants
ADMIN_LIST_CUSTOMERS Admin entitlement to ADMIN_LIST_CUSTOMERS
ADMIN_MANAGE_AUTHORIZATION_CREDENTIALS Admin entitlement to manage Authorization credentials (ACP)
ADMIN_MANAGE_CUSTOMER_PERMISSION_GRANTS Admin entitlement to manage customer permission grants
ADMIN_MANAGE_CUSTOMER_ROLE_GRANTS Admin entitlement to manage customer role grants
ADMIN_MANAGE_PASSWORD_POLICY Admin entitlement to manage password policy
ADMIN_REMOVE_CUSTOMER_API_KEY Admin entitlement to remove a customer API key
ADMIN_RESET_CUSTOMER_API_KEY Admin entitlement to reset a customer API key
ADMIN_REVOKE_ENTITLEMENT_FROM_CUSTOMER Admin entitlement to revoke an entitlement from a customer
ADMIN_REVOKE_ENTITLEMENT_GROUP_FROM_CUSTOMER Admin entitlement to revoke an entitlement group from a customer
ADMIN_SELF_ACCEPT_ORGANIZATION_EULA Admin entitlement to self accept organization eula
ADMIN_UPDATE_CUSTOMER Admin entitlement to update customer information

ENTITLEMENT_MANAGEMENT_ENTITLEMENT_GROUP

Name Description
ADMIN_ADD_ENTITLEMENT_TO_GROUP Admin entitlement to add entitlement to group
ADMIN_CREATE_ENTITLEMENT Admin entitlement to create an entitlement
ADMIN_CREATE_ENTITLEMENT_GROUP Admin entitlement to create an entitlement group
ADMIN_DELETE_ENTITLEMENT Admin entitlement to delete an entitlement
ADMIN_DELETE_ENTITLEMENT_FROM_GROUP Admin entitlement to delete entitlement from group
ADMIN_DELETE_ENTITLEMENT_GROUP Admin entitlement to delete an entitlement group
ADMIN_UPDATE_ENTITLEMENT Admin entitlement to update an entitlement
ADMIN_UPDATE_ENTITLEMENT_GROUP Admin entitlement to update an entitlement group

FEDERATED_USER_ENTITLEMENT_GROUP

Name Description
SELF_ACCEPT_USER_EULA User entitlement to accept an end-user license agreement
SELF_CONFIRM_AUTH_SECRET User entitlement to confirm own auth secret
SELF_GET_AUTH_SECRET User entitlement to view own auth secret
SELF_GET_CUSTOMER User entitlement to view information about own customer
SELF_GET_MFA_SETUP User entitlement to get own MFA setup details
SELF_GET_USER User entitlement to view own information
SELF_LIST_USER_CUSTOMERS User entitlement to view details of customers from own customers list
SELF_RESET_AUTH_SECRET User entitlement to reset own auth secret
SELF_RESET_OTP_MFA_ENROLLMENT User entitlement to reset own OTP MFA enrollment
SELF_RESET_USER_KBA User entitlement to reset own KBA responses
SELF_SET_MFA_METHOD User entitlement to set own MFA method
SELF_SET_USER_KBA_RESPONSES User entitlement to set their KBA responses
SELF_UPDATE_USER User entitlement to update own information

FEDERATION_MANAGEMENT_ENTITLEMENT_GROUP

Name Description
ADMIN_ACCESS_DASHBOARD Admin entitlement to access dashboard
ADMIN_CREATE_IDP Admin entitlement to create IDP configuration
ADMIN_CREATE_SP Admin entitlement to create SP configuration
ADMIN_DELETE_IDP Admin entitlement to delete IDP configuration
ADMIN_DELETE_SP Admin entitlement to delete SP configuration
ADMIN_GET_IDP Admin entitlement to get IDP configuration
ADMIN_GET_SP Admin entitlement to get SP configuration
ADMIN_LIST_IDPS Admin entitlement to list IDP configurations
ADMIN_LIST_SPS Admin entitlement to list SP configurations
ADMIN_UPDATE_IDP Admin entitlement to update IDP configuration
ADMIN_UPDATE_SP Admin entitlement to update SP configuration

MULTI_CUSTOMER_ADMIN_ENTITLEMENT_GROUP

Name Description
ADMIN_ACTIVATE_CUSTOMER Admin entitlement to activate a customer
ADMIN_ADD_TO_USER_CUSTOMERS Admin entitlement to add a customer to a user customers list
ADMIN_CREATE_CUSTOMER Admin entitlement to create a customer
ADMIN_DEACTIVATE_CUSTOMER Admin entitlement to deactivate a customer
ADMIN_DELETE_CUSTOMER Admin entitlement to delete a customer
ADMIN_LIST_USER_CUSTOMERS Admin entitlement to list the customers belonging to a user
ADMIN_MANAGE_CUSTOMERS_EULA_REVISION Admin entitlement to manage customers eula revision
ADMIN_REMOVE_FROM_USER_CUSTOMERS Admin entitlement to remove a customer from a user customers list
ADMIN_SEND_CUSTOMERS_NOTIFICATION_MESSAGE Admin entitlement to send notification messages to users of multiple customers
ADMIN_UPDATE_USER_CUSTOMERS Admin entitlement to update the customers list belonging a user
SELF_UPDATE_USER_CUSTOMER_IN_SESSION Admin entitlement to update which customer an authenticated user session currently belongs to

SELF_USER_ENTITLEMENT_GROUP

Name Description
SELF_ACCEPT_USER_EULA User entitlement to accept an end-user license agreement
SELF_ADD_EMAIL_OR_MOBILE User entitlement to add unverified email or mobile
SELF_CHANGE_PASSWORD User entitlement to change password
SELF_CHANGE_UID User entitlement to update their UID
SELF_CONFIRM_AUTH_SECRET User entitlement to confirm own auth secret
SELF_GET_AUTH_SECRET User entitlement to view own auth secret
SELF_GET_CUSTOMER User entitlement to view information about own customer
SELF_GET_MFA_SETUP User entitlement to get own MFA setup details
SELF_GET_USER User entitlement to view own information
SELF_INVALIDATE_DEVICE_SESSIONS User entitlement to invalidate devices sessions
SELF_LIST_DEVICES User entitlement to list devices used for login
SELF_LIST_USER_CUSTOMERS User entitlement to view details of customers from own customers list
SELF_REMOVE_IDENTIFIERS User entitlement to remove own verified identifiers
SELF_RESET_AUTH_SECRET User entitlement to reset own auth secret
SELF_RESET_OTP_MFA_ENROLLMENT User entitlement to reset own OTP MFA enrollment
SELF_RESET_USER_KBA User entitlement to reset own KBA responses
SELF_SEND_VERIFICATION_CODE User entitlement to send a verification code to an identifier
SELF_SET_MFA_METHOD User entitlement to set own MFA method
SELF_SET_USER_KBA_RESPONSES User entitlement to set their KBA responses
SELF_UPDATE_USER User entitlement to update own information
SELF_VERIFY_IDENTIFIER User entitlement to verify their own identifier