Managing application entitlements (by administrator or application owner)

Edit online

Set or modify who is entitled to access the application. Users must be entitled to the application to view and access the application from the Verify home page or to sign on to the target application's web page.

Before you begin

  • You must have administrative permission or be an application owner to complete this task.
  • An application instance must exist before you can entitle users and groups to access it. See Configuring applications.
  • Create users and groups in the cloud directory before you assign application entitlements. See Managing users and Managing groups. Only existing users and groups can be entitled to the application instance.

    To entitle groups from your SAML enterprise identity source, you must create shadow groups in the cloud directory and use the same names as the groups in your SAML enterprise identity source. The shadow groups need not be populated with any members. The shadow group serves as a placeholder that represents the SAML enterprise group.

About this task

You can assign entitlements to groups, cloud directory users, and federated users.

You can access the Entitlements tab when you edit the application instance.

You can grant or remove all users access to the application with the All users are entitled to this application option. For individual or multiple users' or groups' access entitlements, see the following:

Procedure

  1. Select Applications > Applications.
  2. Select the application and select the Edit icon.
    Hover over the application that you want to manage and select the Edit icon when it appears.
  3. Select the Entitlements tab.
  4. Assign application entitlements.
    • If Provision accounts is enabled in account lifecycle, then when you assign an entitlement to any users directly or as part of a group, provisioning is initiated to create the account on the target.
    • Select Automatic access for all users and groups to entitle all users and groups to access the application.
      Note: This option grants access to all users that are available in IBM® Verify to the application. If provisioning is enabled in the account lifecycle, this option initiates provisioning of accounts for all the users.
    • Select Approval required for all users and groups to provide approval before granting the entitlement to all users and groups to access the application. Select one or more approvers. If this option is selected, any user can request access to the application from My requests in the launchpad.
      Note: If User's manager and Application owner both are selected, the approval workflow is done in sequence. The manager must first approve, then any of the application owners can approve the access.
      Use advanced flow
      If Use advanced flow is selected, the approval process is managed by using an approval-based published flow that is created using Flow designer. To create a new flow, see Managing flow designer.
      Note: The Use advanced flow approval method supports application access along with Fine grain access request and Requesting access for others.
      The advanced flow is selected from a list of flows under Select flow. Only the flows that are published and include the Initiate access request approval and Complete approval node are a part of the list.
      Note: Use advanced flow is a requestable feature, CI-49772 (Request access with advance workflow). To request this feature, contact your IBM Sales representative or IBM contact and indicate your interest in enabling this capability. You can also create a support ticket with the feature number if you have the permission.
    • Select Select users, groups, dynamic groups and assign individual accesses to entitle only selected users and groups and dynamic groups, to access the application. Select one or more approvers.
      Note: Dynamic group is a requestable feature, Beta CI-46644 (Dynamic attribute based access control). To request this feature, contact your IBM Sales representative or IBM contact and indicate your interest in enabling this capability. You can also create a support ticket with the feature number if you have the permission.
    1. Select Add. The Select users, groups, and dynamic groups dialog box is displayed.
    2. Use the Search field for a filtered list of data.
    3. Select the users, groups or dynamic groups from the Matching Items list and select Add.
    4. If you added users, groups or dynamic groups in the Selected Items list by mistake, select the entry from the Selected Items list and select Remove.
    5. If the target user is not in the returned search results, select Add new user. Use this option to create a cloud directory user or a federated user who has not yet authenticated to Verify. See Creating a user.
      Note: When you select Save in the Add User dialog box, the user is created and can be viewed or updated from Directory > Users & groups.
    6. If you are assigning an entitlement to a group, you can enable or disable automatic access.
      Automatic access is enabled
      All the users in this group are automatically entitled to the application and do not require any approval. This setting is the default option.
      Automatic access is disabled
      The users in this group are not automatically entitled to the application . The user access must be approved by the selected approvers.
    7. Select OK.
      Note: If you added a user but choose to Cancel, the user is not entitled to the application.
    8. Select Save.
  5. Search and view the application entitlements.
    1. Use the Search field for a filtered list of data.
    2. Select the name of the entitled user or group to display information in the Details area.
      Note: The information that is displayed varies depending on whether a user or group is selected. Group information only includes the group name, and the name and email of the user who assigned the entitlement.
      Table 1. Displayed information
      Information Descriptions
      Name
      Given name and surname of the user.
      Note: For federated users, this information is optional.
      Email
      Email address of the user where notifications are sent such as the user's new password after a reset request, or the one-time password.
      Note: For federated users, this information is optional.
      Username
      Unique identifier for logging in to Verify. It can be the same as the email address of the user.
      Note: For federated users, the username is concatenated with an @ followed by the realm that is associated with the identity provider from which the user information is retrieved. For example, johnsmith@example.com@ADFS where johnsmith@example.com is the user's registered user name and ADFS is the user's realm.
      Assigner Given name and surname of the user who entitled the user or group to access the application.
      Email Email address of the Assigner.
  6. Remove application entitlements.
    If deprovision accounts is enabled in the account lifecycle, when you remove an entitlement from any user directly or as part of the group, deprovisioning is initiated to deprovision the account from the target application.
    1. Select the user or group that you want to remove.
      Tip: You can select multiple entries.
    2. Select Remove.
    3. Confirm that you want to permanently delete the selected entitlement.
    4. Select Save.