Set or modify who is entitled to access the application. Users must be entitled to the application to view and access the
application from the Verify home page or to sign on to the
target application's web page.
Before you begin
- You must have administrative permission or be an application owner to complete this task.
- An application instance must exist before you can entitle users and groups to access it. See
Managing your applications.
- Create users and groups in the cloud directory before you assign application entitlements. See
Managing users and Managing groups. Only existing users and groups can be
entitled to the application instance.
To entitle groups from your SAML enterprise identity source, you must
create shadow groups in the cloud directory and use the same names as the groups in
your SAML enterprise identity source.
The shadow groups need not be populated with any members. The shadow group
serves as a placeholder that represents the SAML enterprise group.
About this task
You can assign entitlements to groups, cloud
directory users, and federated users.
You can access the Entitlements tab when you edit the
application instance.
You can grant or remove all users access to the application with the
All users are
entitled to this application option. For individual or multiple users' or groups' access
entitlements, see the following:
Procedure
-
Select .
-
Select the application and select the Edit icon.
Hover over the application that you want to manage and select the

icon when it appears.
-
Select the Entitlements tab.
-
Assign application entitlements.
- If Provision accounts is enabled in account lifecycle, then when you
assign an entitlement to any users directly or as part of a group, provisioning is initiated to
create the account on the target.
- Select Automatic access for all users and groups to entitle all users
and groups to access the application.
Note: This option grants access to all users that are available
in IBM® Security Verify to the application. If
provisioning is enabled in the account lifecycle, this option initiates provisioning of accounts for
all the users.
- Select Approval required for all users and groups to provide approval
before granting the entitlement to all users and groups to access the application. Select one or
more approvers. If this option is selected, any user can request access to the application from
My requests in the launchpad.
Note: If User's
manager and Application owner both are selected, the approval
workflow is done in sequence. The manager must first approve, then any of the application owners can
approve the access.
If
Use advanced flow is
selected, the approval process is managed by using an approval-based published flow that is created
using
Flow designer. To create a new flow, see
Managing flow designer.
- The advanced flow is selected from a list of flows under Select flow.
Only the flows that are published and include the Initiate access request
approval and Complete approval node are a part of the list.
Note: Use advanced flow is a requestable feature, CI-49772 (Request
access with advance workflow). To request this feature, contact your IBM Sales representative or IBM
contact and indicate your interest in enabling this capability. You can also create a support ticket
with the feature number if you have the permission.
- Select Select users, groups, dynamic
roles, and assign individual accesses to entitle only
selected users and groups and dynamic roles, to access the application.
Select one or more approvers.
Note: If User's manager and
Application owner are both selected, the approval workflow is done in
sequence. The manager must first approve, then any of the application owners can approve the
access.
- Select Add. The
Select User/Group dialog box is displayed.
- Use the Search field for a filtered list of
data.
- Select the users or groups from the Matching Items list and select
Add.
- If you added users or groups in the Selected Items list by mistake,
select the entry from the Selected Items list and select
Remove.
- Optional: If the target user is not in the returned search results, select Add new
user. Use this option to create a cloud directory user or a
federated user who has not yet authenticated to Verify. See Creating a user.
Note: When you
select Save in the Add User dialog box, the user is
created and can be viewed or updated from .
- If you are assigning an entitlement to a group, you can enable or disable automatic access.
- Automatic access is enabled
- All the users in this group are automatically entitled to the application and do not require any
approval. This setting is the default option.
- Automatic access is disabled
- The users in this group are not automatically entitled to the application . The user access must
be approved by the selected approvers.
- Select OK.
Note: If you added a user but choose to
Cancel, the user is not entitled to the application.
- Select Save.
-
Search and view the application entitlements.
-
Use the Search field for a filtered list of
data.
-
Select the name of the entitled user or group to display information in the
Details area.
Note: The information that is displayed varies depending on whether a user or group is selected.
Group information only includes the group name, and the name and email of the user who assigned the
entitlement.
Table 1. Displayed information
Information |
Descriptions |
Name |
Given name and surname of the user.Note: For federated users, this information is optional.
|
Email |
Email address of the user where notifications are sent such as the
user's new password after a reset request, or the one-time password.Note: For federated users, this information is optional.
|
Username |
Unique identifier for logging in to Verify. It can be the same as
the email address of the user.Note: For
federated users, the username is concatenated with an @ followed by the realm that is associated
with the identity provider from which the user information is retrieved. For example,
johnsmith@example.com@ADFS where johnsmith@example.com is the
user's registered user name and ADFS is the user's realm.
|
Assigner |
Given name and surname of the user who entitled the user or group to access the
application. |
Email |
Email address of the Assigner. |
-
Remove application entitlements.
If deprovision accounts is enabled in the account lifecycle, when you remove an entitlement
from any user directly or as part of the group, deprovisioning is initiated to deprovision the
account from the target application.
-
Select the user or group that you want to remove.
Tip: You can select multiple entries.
-
Select Remove.
-
Confirm that you want to permanently delete the selected entitlement.
-
Select Save.