Access entitlements

The externalized APIs of the Verify authentication service are protected by OAuth access tokens. As extra security, access to each API is authorized based on entitlements.

An entitlement is a form of fine grained permission control that can restrict or minimize the scope of access for a valid access token. Entitlements are associated with an OAuth client ID and secret, which are used to obtain the access token. A runtime access token derives its entitlements from its associated client.

Administrators can grant the following entitlements to an API client. Use the descriptions to determine which entitlements to assign to the API client. For more information on the API client, see IBM Security Verify Documentation Hub.
Table 1. Entitlements
Entitlement Name Description
manageDeployment Manage deployment Modify overall service configuration.
manageCerts Manage certificates Perform create, retrieve, update, and delete operations on personal and trusted certificates for a tenant.
readCerts Read certificates Perform read operations on personal and trusted certificates for a tenant.
manageAPIClients Manage API clients Perform create, retrieve, update, and delete operations on API clients for a tenant.
readAPIClients Read API clients Perform read operations on API clients for a tenant. It is unable to view the client secret for API client.
manageIdentitySources Manage identity providers Perform create, retrieve, update, and delete operations on identity sources for a tenant.
readIdentitySources Read identity providers Perform read operations on identity sources for a tenant.
manageMFAMethods Manage second-factor authentication method configuration Perform create, retrieve, update, and delete operation on MFA authentication method configuration.
readMFAMethods Read second-factor authentication method configuration Perform read operations on MFA authentication method configuration.
manageEnrollMFAMethodAnyUser Manage second-factor authentication enrollment for all users Manage enrollments for MFA methods for any user.
manageEnrollMFAMethod Manage own second-factor authentication enrollment Allows a user to manage their own enrollments for MFA methods.
readEnrollMFAMethodAnyUser Read second-factor authentication enrollment for all users Read the MFA method enrollments for any user.
readEnrollMFAMethod Read own second-factor authentication enrollment Allows a user to read their own enrollments for MFA methods.
authnAnyUser Authenticate any user Authenticate any user.
authn Authenticate yourself Authenticate yourself.
manageAuthenticatorsConfig Manage authenticator configuration Manage authenticator configuration.
readAuthenticatorsConfig Read authenticator configuration Read authenticator configuration.
manageAuthenticatorsAnyUser Manage authenticator registrations for all users Manage authenticator registrations on behalf of any other user.
manageAuthenticators Manage authenticator registrations for yourself Manage authenticator registrations for the currently authenticated user.
readAuthenticatorsAnyUser Read authenticator registrations for all users Read authenticator registrations on behalf of any other user.
readAuthenticators Read authenticator registrations for yourself Read authenticator registrations for the currently authenticated user.
manageUserGroups Manage users and groups Perform create, retrieve, update, and delete operations on users and groups in SCIM excluding the admin group.
readUserGroups Read users and groups Perform read operations on users and groups in SCIM excluding the admin group.
manageAllUserGroups Synchronize users and groups Perform create, retrieve, update, and delete operations on users and groups in SCIM without restrictions on modifying federated users and assigning them to regular non-reserved groups.
manageUserStandardGroups Manage users and standard groups Perform create, retrieve, update, and delete operations on users and standard groups, but do not allow modify or delete of reserved groups.
manageAdminGroup Manage administrator group Add and remove users from the admin group.
readAdminGroup Read administrator group Read users in the admin group.
managePwdPolicy Manage password policy Perform create, retrieve, update, and delete operations on the password policy for a tenant.
readPwdPolicy Read password policy Perform read operations on the password policy for a tenant.
AnalyticsDataSyncToCloud Sync data from Analytics Bridge to Cloud Perform Data sync from On-prem Cloudant database to Apollo Cloudant database over APIs for a tenant.
AnalyticsSatelliteOnBoard Onboard Analytics Bridge Perform only bind from On-prem to IBM Security Verify.
readOidcGrants Read OAuth tokens Read OIDC grants.
manageOidcGrants Manage OAuth tokens Perform create, retrieve, update, and delete operations on OIDC grants.
recoverUsername Recover user name Perform username recovery.
manageFederations Manage federations Manage SAML and OIDC federations.
readFederations Read federations Read SAML and OIDC federations.
resetPassword Reset password Perform reset password.
manageAppAccessAdmin Manage application lifecycle Perform create, retrieve, update, and delete operations on the applications.
manageAppAccessOwner Manage application entitlements Add and remove entitlements on an application.
manageSubscriptions Manage subscriptions Perform administrative actions on ISC subscriptions.
manageAccessPolicies Manage access policies Perform create, retrieve, update, and delete operations on policies in the Auth Service Policy Vault and Risk Service.
readAccessPolicies Read access policies Read policies in the Auth Service Policy Vault and Risk Service.
managePushCreds Manage push notification credentials Perform create, retrieve, update, and delete operations to manage custom stored Push Notification Credentials.
readPushCreds Read push notification credentials Perform read operations on custom stored Push Notification Credentials.
manageAccessRequest Manage access request Read and edit my access request.
manageAccessWorkflow Manage access request work flows Add / Modify Access Request Workflow.
manageAccessRequestActivities Manage my activities to approve or reject access requests View and manage my activities. Approve or reject access requests.
manageApprovalActivities Manage my activities to approve or reject requests View and manage my activities. Approve or reject requests.
readOidcConsents Read OAuth consents Read OIDC consents.
manageOidcConsents Manage OAuth consents Perform create, retrieve, update, and delete operations on OIDC consents.
readReports Read reports View authentication activity, application usage, user activity, and admin activity reports. View the schedule of recurring reports.
manageReports Manage reports Export reports (one-time). Manage the schedule of recurring Reports.
updateAnyUser Update any user Perform replace operations on any user.
resetPasswordAnyUser Reset password of any user Reset the password of any user.
readTenantProperties Read tenant properties Read the properties of a tenant.
manageTenantProperties Manage tenant properties Manage the properties of a tenant.
accessAdminConsole Access admin console Access the admin console.
manageAttributes Manage attribute sources Perform create, retrieve, update, and delete operations on Attribute Sources for a tenant.
readAttributes Read attribute sources Perform read operations on Attribute Sources for a tenant.
generateOTP Generate OTP Generate an OTP and deliver it via email or SMS channels.
readAppConfig Read application configuration Read Application configuration details. It is unable to view the client secret for Applications and Application API Access Client.
manageTemplates Manage templates and themes Customizes templates and themes.
readTemplates Read templates and themes View templates and themes.
readTenantSubscriptions read tenant subscriptions View tenant subscriptions.
reviewCertRecords Review certification records Access certification records in a campaign.
readEntitlements Read configurable entitlements Read the list of configurable entitlements.
accessDevPortal Access developer portal Access the developer portal UI and micro-service endpoint.
manageNotificationProviders Manage notification providers Configure Custom Notification Providers.
readNotificationProviders Read notification providers View the configured Custom Notification Providers.
manageCertifications Manage certifications Manage access certifications.
readExternalAgents Read external agents Read external Agent configs for Native Bridge or Ldap Pass-Thru Service. It is unable to view the client secret for Identity agent.
manageExternalAgents Manage external agents Manage external Agent configuration.
runExternalAgent Enable external agent runtime functions Perform functions of an external agent include reading its own configuration, connect to CI runtime bridge, receive communication from CI.
manageOidcDynamicClient Manage OIDC client registration dynamically Manage OIDC client registration dynamically.
viewNotifications View notifications View the 'notification' icon.
manageProfile Manage profile View 'Profile & settings'.
viewLaunchpad View launchpad To allow launch-in-context applications from the landing page.
requestApplications Request applications Allow the creation of an application request.
manageRequests Manage requests Render the 'Task Manager -> App Request'.
readPurpose Read privacy purposes and EULA Read privacy purposes and EULA.
managePurpose Manage privacy purposes and EULA Manage privacy purposes and EULA.
manageAppPurpose Manage application privacy purposes Manage application privacy purposes.
readPrivacyConsent Read privacy consents Read privacy consents.
managePrivacyConsent Manage privacy consents Manage privacy consents.
readPrivacyPolicy Read privacy rules and policy Read privacy rules and policy.
managePrivacyPolicy Manage privacy rules and policy Manage privacy rules and policy.
createPrivacyConsent Create privacy consent records Create privacy consent records.
performDSP Retrieve privacy purposes and associated user's consent Retrieve privacy purposes and associated user's consent.
performDUA Check for data usage approval Check for data usage approval.
certCampaignSupervisor Monitor certification campaigns Monitor access certification campaigns.
managePwdVaultAnyUser Manage password vault for all users Manage the credential information that is stored in the password vault for any user.
managePwdVault Manage own password vault Manage the credential information that is stored in the password vault.
readPwdVaultAnyUser Read password vault for all users Retrieve the credential information that is stored in the password vault for any user.
readPwdVault Read own password vault Retrieve own credential information from the password vault.
managePwdVaultConfig Manage password vault configuration Update the configuration for the password vault.
readPwdVaultConfig Read password vault configuration Retrieve the configuration for the password vault.
mfaPush Send second-factor push notifications Send push notifications for multi-factor authentication.
readPrivacyProfile Read privacy profiles Read privacy profiles.
managePrivacyProfile Manage privacy profiles Manage privacy profiles.
manageEntitlements. Manage entitlements Manage both admin and app entitlements.
manageDevicesAnyUser Manage devices for all users Manage devices for all users.
readDevicesAnyUser Read devices for all users Read devices for all users.
manageDevices Manage only your devices Manage only your devices.
readDevices Read only your devices Read only your devices.
manageUsersPwdReset Manages users and their pwdReset attribute Manage users and their pwdReset attribute.
manageRecaptcha Manage reCAPTCHA configuration Perform create, retrieve, update, and delete operations on reCAPTCHA configuration.
readRecaptcha Read reCAPTCHA configuration Perform read operations on reCAPTCHA configuration.
manageLoginSessions Manage login sessions Manage login sessions.
readSelfPrivacyConsent Read your privacy consents Read your privacy consents.
manageSelfPrivacyConsent Manage your privacy consents Manage your privacy consents.
readSelfOidcGrants Read your OIDC and OAuth grants Read your OIDC grants.
manageSelfOidcGrants Manage your OIDC and OAuth grants Perform CRUD operations on your OIDC grants.
readAppPrivacyConsent Read the privacy consents of the applications that you own Read the privacy consents of the applications that you own.
manageRelyingParty Manage relying party configuration Perform create, retrieve, update, and delete operations on relying party configuration.
readRelyingParty Read relying party configuration Perform read operations on relying party configuration.
manageWebhooks Manage Webhooks Perform create, retrieve, update, and delete operations on webhook configuration.
readWebhooks Read Webhooks Read webhook configuration.
readSTSClients Read STS clients and token types Read STS clients and token types. It is unable to view the client secret for STS client.
manageSTSClients Manage STS clients and token types Perform create, retrieve, update, and delete operations on STS clients and token types.
manageVerifiableLinks Manage Verifiable Links configuration Perform management operations on configuration for verifiable links.
manageMyOrg Manage my organization View and manage my reportees.
readAccessAsManager View accesses of the reportees View the existing and requestable accesses of the reporting employees.
manageAccessAsManager Manage accesses of the reportees Manage the existing accesses of the reporting employees.
readOidcAppGrants Read OIDC and OAuth application grants Read OIDC application grants
manageOidcAppGrants Manage OIDC and OAuth application grants Perform CRUD operations on OIDC application grants
readPrivacyConsentProvider Read privacy consent providers Read external consent provider configuration
managePrivacyConsentProvider Manage privacy consent providers Perform CRUD operation on consent providers
createSamlAliases Create SAML aliases Create SAML persistent name identifier aliases
readEmailSuppressionList Read email suppression list Read email suppression list
manageEmailSuppressionList Manage email suppression list Manage email suppression list
listSessions List all sessions for a user List all sessions for a user
revokeSession Revoke a session for a user Revoke a session for a user
revokeAllSessions Revoke all sessions for a user Revoke all sessions for a user
readTraceLogs Read trace logs Read trace logs
readFlows Read flows Read flows
manageFlows Manage flows Manage flows
readSMSProviders Read external SMS provider configuration Read external SMS provider configuration
manageSMSProviders Manage external SMS provider configuration Manage external SMS provider configuration
readIAGDeployBundleAny Export any external IAG deploy bundle Export any external IAG deploy bundle
readUsers Read all users but not group memberships Perform read operations on all users, but not on users' group memberships.
readUsersGroupMembership Read all users and group memberships Perform read operations on all users and group memberships.
readUsersStandardGroupMembership Read all users and standard group memberships Perform read operations only on all users and view memberships only in standard groups.
manageUsers Manage all users Perform create, retrieve, update, and delete operations on all users.
manageUsersInStandardGroups Manage users in standard groups Perform create, retrieve, update, and delete operations only on users in standard groups.
readGroups Read all groups but not their members Perform read operations on all groups, but not on group members.
readStandardGroups Read standard groups but not their members Perform read operations only on standard groups, but not on standard group members.
readGroupMembers Read all groups and their members Perform read operations on all groups and group members.
readStandardGroupMembers Read standard groups and their members Perform read operations only on all standard groups and standard group members.
manageGroups Manage all groups but not their members Perform create, retrieve, update, and delete operations on all groups, but not on group members.
manageStandardGroups Manage standard groups but not their members Perform create, retrieve, update, and delete operations on all standard groups, but not on standard group members.
manageGroupMembers Manage all groups and their members Perform create, retrieve, update, and delete operations on all groups and group members.
manageStandardGroupMembers Manage standard groups and their members Perform create, retrieve, update, and delete operations only on standard groups and standard group members.
readAppConfigAndClientSecret Read application configuration with the client secret Read the client secret for Applications and Application API Access Client..
readSTSClientsAndClientSecret Read STS clients with the client secret and token types Read STS clients with the client secret and token types.
readAPIClientsAndClientSecret Read API clients with the client secret Read API clients with the client secret.
readExternalAgentsAndClientSecret Read external agents with the client secret Read the client secret for Identity agent.
Note:

In order to view the list of all users and defining the activity of a specific user, the administrator needs one or more permissions of the following list:

  • readUserGroups
  • manageUserGroups
  • manageAllUserGroups
  • manageUserStandardGroups

In addition, the administrator could need one or more general permissions of this following list:

  • tenantadmin (member of admin group can be assigned via API invoking call only).
  • reserved_appowner (member of application owners group, or it can be assigned via API invoking call only).