Managing application entitlements (by Application Owner)

As an application owner, set or modify who is entitled to access the application based on the necessity and relevance of the application to the user or group. Users must be entitled to the application to view and access the application from the Verify home page or to sign on to the target application's web page.

Before you begin

Log in to IBM® Security Verify.

About this task

This feature is available in a Verify subscription and in a combination of Verify and Verify subscription.
Subscription Plans
Subscribed Verify Not subscribed Verify
On Entitlements, you can view the list of applications that you own. You can grant or remove all users access to the application with the All users are entitled to this application option. For individual or multiple users or groups' access entitlements, see the following:

Entitlements is only visible to users who are members of the application owners group. If you are added in the application owners group but not assigned as an owner of any application, no application is displayed in your Entitlements. As such, you cannot grant application access to any users or groups.

Note: To entitle groups from a SAML enterprise identity source, your Verify administrator must create shadow groups in the cloud directory and use the same names as the groups in your SAML enterprise identity source. The shadow groups need not be populated with any members. The shadow group serves as a placeholder that represents the SAML enterprise group.

Procedure

  1. Click the user icon besides your account name and select Switch to admin.
    Note: Entitlements are no longer managed from the user launchpad.
  2. Navigate to Applications.
  3. Search and view the application.
    1. Use the Search field for a filtered list of data.
      You can sort the list by application name.
    2. Select the application to view its Entitlements Summary.
  4. Select the application and click the Edit icon.
  5. Select the Entitlements tab.
  6. Assign application entitlements.
    Hover over the application that you want to manage and click the Edit icon when it appears.
    • Select Automatic access for all users and groups to entitle all users and groups to access the application.
    • Select Approval required for all users and groups to require approval before granting the entitlement all users and groups to access the application. Select one or more approvers.
      Note: If User's manager and Application owner are both selected, the approval workflow is done in sequence. The manager must first approve, then any of the application owners can approve the access.
    • Select Select users, groups, dynamic roles, and assign individual accesses to entitle only selected users and groups and dynamic roles, to access the application. Select one or more approvers.
      Note: If User's manager and Application owner are both selected, the approval workflow is done in sequence. The manager must first approve, then any of the application owners can approve the access.
      1. Click Add. The Select User/Group dialog box is displayed.
      2. Use the Search field for a filtered list of data.
      3. elect the users or groups from the Matching Items list and click Add.
      4. If you added users or groups in the Selected Items list by mistake, select the entry from the Selected Items list and click Remove.
      5. Optional: If the target user is not in the returned search results, click Add new user. Use this option to create a cloud directory user or a federated user who has not yet authenticated to Verify. See Creating a user.
        Note: When you click Save in the Add User dialog box, the user is created and can be viewed or updated from Users & Groups.
      6. Click OK.
        Note: If you added a user but choose to Cancel, the user is not entitled to the application.
      7. Click Save.
  7. Search and view the application entitlements.
    1. Hover over the application and click the Edit icon when it appears.
    2. Use the Search field for a filtered list of data.
    3. Select the name of the entitled user or group to display information in the Details area.
      Note: The information that is displayed varies depending on whether a user or group is selected. Group information only includes the group name, and the name and email of the user who assigned the entitlement.
      Table 1. Displayed information
      Information Descriptions
      Name
      Given name and surname of the user.
      Note: For federated users, this information is optional.
      Email
      Email address of the user where notifications are sent such as the user's new password after a reset request, or the one-time password.
      Note: For federated users, this information is optional.
      Username
      Unique identifier for logging in to Verify. It can be the same as the email address of the user.
      Note: For federated users, the username is concatenated with an @ followed by the realm that is associated with the identity provider from which the user information is retrieved. For example, johnsmith@example.com@ADFS where johnsmith@example.com is the user's registered user name and ADFS is the user's realm.
      Assigner Given name and surname of the user who entitled the user or group to access the application.
      Email Email address of the Assigner.
  8. Remove application entitlements.
    1. Hover over the application and click the Edit icon when it appears.
    2. Select the user or group that you want to remove.
      Tip: You can select multiple entries.
    3. Click Remove.
    4. Confirm that you want to permanently delete the selected entitlement.
    5. Click Save.