Access entitlements
The externalized APIs of the Verify authentication service are protected by OAuth access tokens. As extra security, access to each API is authorized based on entitlements.
An entitlement is a form of fine grained permission control that can restrict or minimize the scope of access for a valid access token. Entitlements are associated with an OAuth client ID and secret, which are used to obtain the access token. A runtime access token derives its entitlements from its associated client.
Administrators can grant the following entitlements to an API client. Use the descriptions to
determine which entitlements to assign to the API client. For more information on the API client,
see IBM Security Verify Documentation
Hub.
Entitlement | Name | Description |
---|---|---|
manageDeployment |
Manage deployment |
Modify overall service configuration. |
manageCerts |
Manage certificates |
Perform create, retrieve, update, and delete operations on personal and trusted certificates for a tenant. |
readCerts |
Read certificates |
Perform read operations on personal and trusted certificates for a tenant. |
manageAPIClients |
Manage API clients |
Perform create, retrieve, update, and delete operations on API clients for a tenant. |
readAPIClients |
Read API clients |
Perform read operations on API clients for a tenant. It is unable to view the client secret for API client. |
manageIdentitySources |
Manage identity providers |
Perform create, retrieve, update, and delete operations on identity sources for a tenant. |
readIdentitySources |
Read identity providers |
Perform read operations on identity sources for a tenant. |
manageMFAMethods |
Manage second-factor authentication method configuration |
Perform create, retrieve, update, and delete operation on MFA authentication method configuration. |
readMFAMethods |
Read second-factor authentication method configuration |
Perform read operations on MFA authentication method configuration. |
manageEnrollMFAMethodAnyUser |
Manage second-factor authentication enrollment for all users |
Manage enrollments for MFA methods for any user. |
manageEnrollMFAMethod |
Manage own second-factor authentication enrollment |
Allows a user to manage their own enrollments for MFA methods. |
readEnrollMFAMethodAnyUser |
Read second-factor authentication enrollment for all users |
Read the MFA method enrollments for any user. |
readEnrollMFAMethod |
Read own second-factor authentication enrollment |
Allows a user to read their own enrollments for MFA methods. |
authnAnyUser |
Authenticate any user |
Authenticate any user. |
authn |
Authenticate yourself |
Authenticate yourself. |
manageAuthenticatorsConfig |
Manage authenticator configuration |
Manage authenticator configuration. |
readAuthenticatorsConfig |
Read authenticator configuration |
Read authenticator configuration. |
manageAuthenticatorsAnyUser |
Manage authenticator registrations for all users |
Manage authenticator registrations on behalf of any other user. |
manageAuthenticators |
Manage authenticator registrations for yourself |
Manage authenticator registrations for the currently authenticated user. |
readAuthenticatorsAnyUser |
Read authenticator registrations for all users |
Read authenticator registrations on behalf of any other user. |
readAuthenticators |
Read authenticator registrations for yourself |
Read authenticator registrations for the currently authenticated user. |
manageUserGroups |
Manage users and groups |
Perform create, retrieve, update, and delete operations on users and groups in SCIM excluding the admin group. |
readUserGroups |
Read users and groups |
Perform read operations on users and groups in SCIM excluding the admin group. |
manageAllUserGroups |
Synchronize users and groups |
Perform create, retrieve, update, and delete operations on users and groups in SCIM without restrictions on modifying federated users and assigning them to regular non-reserved groups. |
manageUserStandardGroups |
Manage users and standard groups |
Perform create, retrieve, update, and delete operations on users and standard groups, but do not allow modify or delete of reserved groups. |
manageAdminGroup |
Manage administrator group |
Add and remove users from the admin group. |
readAdminGroup |
Read administrator group |
Read users in the admin group. |
managePwdPolicy |
Manage password policy |
Perform create, retrieve, update, and delete operations on the password policy for a tenant. |
readPwdPolicy |
Read password policy |
Perform read operations on the password policy for a tenant. |
AnalyticsDataSyncToCloud |
Sync data from Analytics Bridge to Cloud |
Perform Data sync from On-prem Cloudant database to Apollo Cloudant database over APIs for a tenant. |
AnalyticsSatelliteOnBoard |
Onboard Analytics Bridge |
Perform only bind from On-prem to IBM Security Verify. |
readOidcGrants |
Read OAuth tokens |
Read OIDC grants. |
manageOidcGrants |
Manage OAuth tokens |
Perform create, retrieve, update, and delete operations on OIDC grants. |
recoverUsername |
Recover user name |
Perform username recovery. |
manageFederations |
Manage federations |
Manage SAML and OIDC federations. |
readFederations |
Read federations |
Read SAML and OIDC federations. |
resetPassword |
Reset password |
Perform reset password. |
manageAppAccessAdmin |
Manage application lifecycle |
Perform create, retrieve, update, and delete operations on the applications. |
manageAppAccessOwner |
Manage application entitlements |
Add and remove entitlements on an application. |
manageSubscriptions |
Manage subscriptions |
Perform administrative actions on ISC subscriptions. |
manageAccessPolicies |
Manage access policies |
Perform create, retrieve, update, and delete operations on policies in the Auth Service Policy Vault and Risk Service. |
readAccessPolicies |
Read access policies |
Read policies in the Auth Service Policy Vault and Risk Service. |
managePushCreds |
Manage push notification credentials |
Perform create, retrieve, update, and delete operations to manage custom stored Push Notification Credentials. |
readPushCreds |
Read push notification credentials |
Perform read operations on custom stored Push Notification Credentials. |
manageAccessRequest |
Manage access request |
Read and edit my access request. |
manageAccessWorkflow |
Manage access request work flows |
Add / Modify Access Request Workflow. |
manageAccessRequestActivities |
Manage my activities to approve or reject access requests |
View and manage my activities. Approve or reject access requests. |
manageApprovalActivities |
Manage my activities to approve or reject requests |
View and manage my activities. Approve or reject requests. |
readOidcConsents |
Read OAuth consents |
Read OIDC consents. |
manageOidcConsents |
Manage OAuth consents |
Perform create, retrieve, update, and delete operations on OIDC consents. |
readReports |
Read reports |
View authentication activity, application usage, user activity, and admin activity reports. View the schedule of recurring reports. |
manageReports |
Manage reports |
Export reports (one-time). Manage the schedule of recurring Reports. |
updateAnyUser |
Update any user |
Perform replace operations on any user. |
resetPasswordAnyUser |
Reset password of any user |
Reset the password of any user. |
readTenantProperties |
Read tenant properties |
Read the properties of a tenant. |
manageTenantProperties |
Manage tenant properties |
Manage the properties of a tenant. |
accessAdminConsole |
Access admin console |
Access the admin console. |
manageAttributes |
Manage attribute sources |
Perform create, retrieve, update, and delete operations on Attribute Sources for a tenant. |
readAttributes |
Read attribute sources |
Perform read operations on Attribute Sources for a tenant. |
generateOTP |
Generate OTP |
Generate an OTP and deliver it via email or SMS channels. |
readAppConfig |
Read application configuration |
Read Application configuration details. It is unable to view the client secret for Applications and Application API Access Client. |
manageTemplates |
Manage templates and themes |
Customizes templates and themes. |
readTemplates |
Read templates and themes |
View templates and themes. |
readTenantSubscriptions |
read tenant subscriptions |
View tenant subscriptions. |
reviewCertRecords |
Review certification records |
Access certification records in a campaign. |
readEntitlements |
Read configurable entitlements |
Read the list of configurable entitlements. |
accessDevPortal |
Access developer portal |
Access the developer portal UI and micro-service endpoint. |
manageNotificationProviders |
Manage notification providers |
Configure Custom Notification Providers. |
readNotificationProviders |
Read notification providers |
View the configured Custom Notification Providers. |
manageCertifications |
Manage certifications |
Manage access certifications. |
readExternalAgents |
Read external agents |
Read external Agent configs for Native Bridge or Ldap Pass-Thru Service. It is unable to view the client secret for Identity agent. |
manageExternalAgents |
Manage external agents |
Manage external Agent configuration. |
runExternalAgent |
Enable external agent runtime functions |
Perform functions of an external agent include reading its own configuration, connect to CI runtime bridge, receive communication from CI. |
manageOidcDynamicClient |
Manage OIDC client registration dynamically |
Manage OIDC client registration dynamically. |
viewNotifications |
View notifications |
View the 'notification' icon. |
manageProfile |
Manage profile |
View 'Profile & settings'. |
viewLaunchpad |
View launchpad |
To allow launch-in-context applications from the landing page. |
requestApplications |
Request applications |
Allow the creation of an application request. |
manageRequests |
Manage requests |
Render the 'Task Manager -> App Request'. |
readPurpose |
Read privacy purposes and EULA |
Read privacy purposes and EULA. |
managePurpose |
Manage privacy purposes and EULA |
Manage privacy purposes and EULA. |
manageAppPurpose |
Manage application privacy purposes |
Manage application privacy purposes. |
readPrivacyConsent |
Read privacy consents |
Read privacy consents. |
managePrivacyConsent |
Manage privacy consents |
Manage privacy consents. |
readPrivacyPolicy |
Read privacy rules and policy |
Read privacy rules and policy. |
managePrivacyPolicy |
Manage privacy rules and policy |
Manage privacy rules and policy. |
createPrivacyConsent |
Create privacy consent records |
Create privacy consent records. |
performDSP |
Retrieve privacy purposes and associated user's consent |
Retrieve privacy purposes and associated user's consent. |
performDUA |
Check for data usage approval |
Check for data usage approval. |
certCampaignSupervisor |
Monitor certification campaigns |
Monitor access certification campaigns. |
managePwdVaultAnyUser |
Manage password vault for all users |
Manage the credential information that is stored in the password vault for any user. |
managePwdVault |
Manage own password vault |
Manage the credential information that is stored in the password vault. |
readPwdVaultAnyUser |
Read password vault for all users |
Retrieve the credential information that is stored in the password vault for any user. |
readPwdVault |
Read own password vault |
Retrieve own credential information from the password vault. |
managePwdVaultConfig |
Manage password vault configuration |
Update the configuration for the password vault. |
readPwdVaultConfig |
Read password vault configuration |
Retrieve the configuration for the password vault. |
mfaPush |
Send second-factor push notifications |
Send push notifications for multi-factor authentication. |
readPrivacyProfile |
Read privacy profiles |
Read privacy profiles. |
managePrivacyProfile |
Manage privacy profiles |
Manage privacy profiles. |
manageEntitlements . |
Manage entitlements |
Manage both admin and app entitlements. |
manageDevicesAnyUser |
Manage devices for all users |
Manage devices for all users. |
readDevicesAnyUser |
Read devices for all users |
Read devices for all users. |
manageDevices |
Manage only your devices |
Manage only your devices. |
readDevices |
Read only your devices |
Read only your devices. |
manageUsersPwdReset |
Manages users and their pwdReset attribute |
Manage users and their pwdReset attribute. |
manageRecaptcha |
Manage reCAPTCHA configuration |
Perform create, retrieve, update, and delete operations on reCAPTCHA configuration. |
readRecaptcha |
Read reCAPTCHA configuration |
Perform read operations on reCAPTCHA configuration. |
manageLoginSessions |
Manage login sessions |
Manage login sessions. |
readSelfPrivacyConsent |
Read your privacy consents |
Read your privacy consents. |
manageSelfPrivacyConsent |
Manage your privacy consents |
Manage your privacy consents. |
readSelfOidcGrants |
Read your OIDC and OAuth grants |
Read your OIDC grants. |
manageSelfOidcGrants |
Manage your OIDC and OAuth grants |
Perform CRUD operations on your OIDC grants. |
readAppPrivacyConsent | Read the privacy consents of the applications that you own |
Read the privacy consents of the applications that you own. |
manageRelyingParty |
Manage relying party configuration |
Perform create, retrieve, update, and delete operations on relying party configuration. |
readRelyingParty |
Read relying party configuration |
Perform read operations on relying party configuration. |
manageWebhooks |
Manage Webhooks |
Perform create, retrieve, update, and delete operations on webhook configuration. |
readWebhooks |
Read Webhooks |
Read webhook configuration. |
readSTSClients |
Read STS clients and token types |
Read STS clients and token types. It is unable to view the client secret for STS client. |
manageSTSClients |
Manage STS clients and token types |
Perform create, retrieve, update, and delete operations on STS clients and token types. |
manageVerifiableLinks |
Manage Verifiable Links configuration |
Perform management operations on configuration for verifiable links. |
manageMyOrg |
Manage my organization |
View and manage my reportees. |
readAccessAsManager |
View accesses of the reportees |
View the existing and requestable accesses of the reporting employees. |
manageAccessAsManager |
Manage accesses of the reportees |
Manage the existing accesses of the reporting employees. |
readOidcAppGrants |
Read OIDC and OAuth application grants |
Read OIDC application grants |
manageOidcAppGrants |
Manage OIDC and OAuth application grants |
Perform CRUD operations on OIDC application grants |
readPrivacyConsentProvider |
Read privacy consent providers |
Read external consent provider configuration |
managePrivacyConsentProvider
|
Manage privacy consent providers |
Perform CRUD operation on consent providers |
createSamlAliases |
Create SAML aliases |
Create SAML persistent name identifier aliases |
readEmailSuppressionList |
Read email suppression list |
Read email suppression list |
manageEmailSuppressionList |
Manage email suppression list |
Manage email suppression list |
listSessions |
List all sessions for a user |
List all sessions for a user |
revokeSession |
Revoke a session for a user |
Revoke a session for a user |
revokeAllSessions |
Revoke all sessions for a user |
Revoke all sessions for a user |
readTraceLogs |
Read trace logs |
Read trace logs |
readFlows |
Read flows |
Read flows |
manageFlows |
Manage flows |
Manage flows |
readSMSProviders |
Read external SMS provider configuration |
Read external SMS provider configuration |
manageSMSProviders |
Manage external SMS provider configuration |
Manage external SMS provider configuration |
readIAGDeployBundleAny |
Export any external IAG deploy bundle |
Export any external IAG deploy bundle |
readUsers |
Read all users but not group memberships |
Perform read operations on all users, but not on users' group memberships. |
readUsersGroupMembership |
Read all users and group memberships |
Perform read operations on all users and group memberships. |
readUsersStandardGroupMembership |
Read all users and standard group memberships |
Perform read operations only on all users and view memberships only in standard groups. |
manageUsers |
Manage all users |
Perform create, retrieve, update, and delete operations on all users. |
manageUsersInStandardGroups |
Manage users in standard groups |
Perform create, retrieve, update, and delete operations only on users in standard groups. |
readGroups |
Read all groups but not their members |
Perform read operations on all groups, but not on group members. |
readStandardGroups |
Read standard groups but not their members |
Perform read operations only on standard groups, but not on standard group members. |
readGroupMembers |
Read all groups and their members |
Perform read operations on all groups and group members. |
readStandardGroupMembers |
Read standard groups and their members |
Perform read operations only on all standard groups and standard group members. |
manageGroups |
Manage all groups but not their members |
Perform create, retrieve, update, and delete operations on all groups, but not on group members. |
manageStandardGroups |
Manage standard groups but not their members |
Perform create, retrieve, update, and delete operations on all standard groups, but not on standard group members. |
manageGroupMembers |
Manage all groups and their members |
Perform create, retrieve, update, and delete operations on all groups and group members. |
manageStandardGroupMembers |
Manage standard groups and their members |
Perform create, retrieve, update, and delete operations only on standard groups and standard group members. |
readAppConfigAndClientSecret |
Read application configuration with the client secret |
Read the client secret for Applications and Application API Access Client.. |
readSTSClientsAndClientSecret |
Read STS clients with the client secret and token types |
Read STS clients with the client secret and token types. |
readAPIClientsAndClientSecret |
Read API clients with the client secret |
Read API clients with the client secret. |
readExternalAgentsAndClientSecret |
Read external agents with the client secret |
Read the client secret for Identity agent. |
Note:
In order to view the list of all users and defining the activity of a specific user, the administrator needs one or more permissions of the following list:
readUserGroups
manageUserGroups
manageAllUserGroups
manageUserStandardGroups
In addition, the administrator could need one or more general permissions of this following list:
tenantadmin
(member ofadmin
group can be assigned via API invoking call only).reserved_appowner
(member ofapplication owners
group, or it can be assigned via API invoking call only).