Managing application entitlements (by administrator or application owner)

Set or modify who is entitled to access the application. Users must be entitled to the application to view and access the application from the Verify homepage or to sign on to the target application's web page.

Before you begin

  • You must have administrative permission or be an application owner to complete this task.
  • An application instance must exist before you can entitle users and groups to access it. See Managing your applications.
  • Create users and groups in the cloud directory before you assign application entitlements. See Managing users and Managing groups. Only existing users and groups can be entitled to the application instance.

    To entitle groups from your SAML enterprise identity source, you must create shadow groups in the cloud directory and use the same names as the groups in your SAML enterprise identity source. The shadow groups need not be populated with any members. The shadow group serves as a placeholder that represents the SAML enterprise group.

About this task

You can assign entitlements to groups, cloud directory users, and federated users.

You can access the Entitlements tab when you edit the application instance.

You can grant or remove all users access to the application with the All users are entitled to this application option. For individual or multiple users' or groups' access entitlements, see the following:

Procedure

  1. Select Applications > Applications.
  2. Select the application and select the Edit icon.
    Hover over the application that you want to manage and select the Edit icon when it appears.
  3. Select the Entitlements tab.
  4. Assign application entitlements.
    • If Provision accounts is enabled in account lifecycle, then when you assign an entitlement to any users directly or as part of a group, provisioning is initiated to create the account on the target.
    • Select Automatic access for all users and groups to entitle all users and groups to access the application.
      Note: This option grants access to all users that are available in IBM® Security Verify to the application. If provisioning is enabled in the account lifecycle, this option initiates provisioning of accounts for all the users.
    • Select Approval required for all users and groups to require approval before granting the entitlement all users and groups to access the application. Select one or more approvers. If this option is selected, any user can request access to this application from My requests in the launchpad.
      Note: If User's manager and Application owner are both selected, the approval workflow is done in sequence. The manager must first approve, then any of the application owners can approve the access.
    • Select Select users and groups, and assign individual accesses to entitle only selected users and groups to access the application. Select one or more approvers. See Note.
      1. Select Add. The Select User/Group dialog box is displayed.
      2. Use the Search field for a filtered list of data.
      3. Select the users or groups from the Matching Items list and select Add.
      4. If you added users or groups in the Selected Items list by mistake, select the entry from the Selected Items list and select Remove.
      5. Optional: If the target user is not in the returned search results, select Add new user. Use this option to create a cloud directory user or a federated user who has not yet authenticated to Verify. See Creating a user.
        Note: When you select Save in the Add User dialog box, the user is created and can be viewed or updated from Directory > Users & groups.
      6. If you are assigning an entitlement to a group, you can enable or disable automatic access.
        Automatic access is enabled
        All the users in this group are automatically entitled to the application and do not require any approval. This setting is the default option.
        Automatic access is disabled
        The users in this group are not automatically entitled to the application . The user access must be approved by the selected approvers.
      7. Select OK.
        Note: If you added a user but choose to Cancel, the user is not entitled to the application.
      8. Select Save.
  5. Search and view the application entitlements.
    1. Use the Search field for a filtered list of data.
    2. Select the name of the entitled user or group to display information in the Details area.
      Note: The information that is displayed varies depending on whether a user or group is selected. Group information only includes the group name, and the name and email of the user who assigned the entitlement.
      Table 1. Displayed information
      Information Descriptions
      Name
      Given name and surname of the user.
      Note: For federated users, this information is optional.
      Email
      Email address of the user where notifications are sent such as the user's new password after a reset request, or the one-time password.
      Note: For federated users, this information is optional.
      User Name
      Unique identifier for logging in to Verify. It can be the same as the email address of the user.
      Note: For federated users, the user name is concatenated with an @ followed by the realm that is associated with the identity provider from which the user information is retrieved. For example, johnsmith@example.com@ADFS where johnsmith@example.com is the user's registered user name and ADFS is the user's realm.
      Assigner Given name and surname of the user who entitled the user or group to access the application.
      Email Email address of the Assigner.
  6. Remove application entitlements.
    If deprovision accounts is enabled in the account lifecycle, when you remove an entitlement from any user directly or as part of the group, deprovisioning is initiated to deprovision the account from the target application.
    1. Select the user or group that you want to remove.
      Tip: You can select multiple entries.
    2. Select Remove.
    3. Confirm that you want to permanently delete the selected entitlement.
    4. Select Save.