PingOne Advanced Identity Cloud

Configure entitlement lifecycle management

Entitlement lifecycle management (LCM) provides a type of delegated administration, allowing application owners, entitlement owners, and end users authorized with the proper scope permissions to manage entitlements within the applications available to them. By using Entitlement LCM, companies can keep entitlement attributes up-to-date, reducing the risk of outdated or inaccurate entitlements impacting decision making.

Entitlement LCM also enforces policies by requiring approval workflows before any entitlement changes are applied. This prevents users from granting excessive permissions without oversight and ensures access remains aligned with organizational policies.

Governance personas

By default, governance administrators, application owners, entitlement owners, and end users with scoped permissions can manage entitlements in the system. These users have the following permissions:

Action Admin Application
Owner		 Entitlement
Owner		 End user

View entitlement

Yes

Yes

Yes

If scoped

View users who have entitlement

Yes

Yes

Yes

If scoped

Create entitlement

Yes

Yes

No

If scoped

Modify entitlement

Yes

Yes

Yes

If scoped

Enable Entitlement LCM

Governance administrators must enable Entitlement LCM to activate the feature for their users.

  1. In the Advanced Identity Cloud admin console, go to Governance > Requests.

  2. On the Requests page, click the Settings tab.

  3. In the Governance LCM section, click Activate.

  4. In the Governance LCM modal, read what activating this feature entails, and click Next.

  5. In the Governance LCM modal, click Entitlement LCM, and then click Activate. The governance LCM is now active on your tenant.

    Enable governance LCM on the Requests page.

Configure authorization

Entitlement LCM enables administrators to delegate entitlement management to authorized users. Scope permissions have been enhanced to grant a specific subset of permissions for managing entitlements. The scope permissions are summarized as follows:

Permission Applies to Description

View Applications

Applications

Allows the user to view matching applications. This scope is implicit when Create Entitlements is selected.

Create Entitlements

Applications

Allows the user to create entitlements for the matching applications.

View Entitlements

Entitlements

Allows the user to view matching entitlements. This scope is implicit when Modify Entitlements or View Grants is selected.

Modify Entitlements

Entitlements

Allows the user to modify the matching entitlements.

View Grants

Entitlements

Allows the user to view the other users who are assigned the entitlement.

Ping Identity recommends that you always grant View Grants privileges so that users carrying out entitlement lifecycle management can see who has been assigned the entitlement.

Tips on scopes

Scopes provide the permissions to let end users to act only on applications and entitlements to which they’re permitted.

For example, when you assign a scope for an application with the Create Entitlements permission, the end user can create entitlements for the application in that scope. However, this doesn’t mean they can view entitlements. For that, they must have the View Entitlements permission.

The following rules apply to scope permission:

  • By default, scopes are disabled in Identity Governance. You can enable scopes using the API. Learn more in Enable scopes.

  • If end users have scope permissions for view entitlements, they can view those entitlements regardless of the application permissions.

  • If end users have modify permissions, they can modify the entitlements you can see.

  • If end users have view grant permissions, they can view the users of the entitlements you can see.

Add scopes and assign to users

  1. Sign on to the Advanced Identity Cloud admin console as a tenant administrator.

  2. In the Advanced Identity Cloud admin console, go to Governance > Scopes.

  3. Click add New Scopes.

  4. On the New Scope page, enter the following in the Details section:

    1. Name: Enter the name for the scope.

    2. Description: Enter a description for the scope.

    3. Click Next.

      Scope details page displaying name and description

  5. On the Applies to page, define which users should be subject to this scope. Decide if you want to grant application or entitlement permissions to the end user.

    1. Select if the All or Any condition must be met.

    2. Select a property for this scoping rule. For example, select userName.

    3. Select an operator for the scoping rule. For example, select contains.

    4. Enter an entitlement.

    5. If you want to add another rule, click add and repeat the steps.

    6. Click Next.

      Scope applies to page defines the user to which the scope applies.

  6. On the Access page, enter the following depending if you are granting applications or entitlement permissions:

    • For application permissions:

      1. Select the Applications checkbox.

      2. Click All Applications or Applications matching a filter. Click Applications matching a filter.

      3. Select if All or Any condition must be met.

      4. Select a property for this scoping rule. For example, select name.

      5. Select an operator for the scoping rule. For example, select is.

      6. Enter an application.

      7. If you want to add another rule, click add and repeat the steps.

      8. Click Create Entitlements.

        The View Applications scope permission is also included.

      9. Click Save.

        The end user now has the permission to create new entitlements for the matching application.

        Scope access displaying the filters for the application.

    • For entitlement permissions:

      1. Select the Entitlements checkbox.

      2. If you click Applications matching a filter, click All Entitlements or Entitlements matching a filter.

      3. Select if the All or Any condition must be met.

      4. Select a property for this scoping rule. For example, select userName.

      5. Select an operator for the scoping rule. For example, select is.

      6. Enter a user.

      7. If you want to add another rule, click add and repeat the steps.

      8. Click Modify Entitlements.

        The View Entitlements scope permission is also included.

      9. Click View Grants to allow the end user to view who has the entitlement.

      10. Click Save.

        Scope access displaying the filters for the entitlement.

Configure entitlement lifecycle workflows

Identity Governance provides the out-of-the-box request types and workflows to enable authorized users to carry out Entitlement LCM tasks:

Request Type Workflow

createEntitlement

Create Entitlement

modifyEntitlement

Modify Entitlement

As with all other Identity Governance requests, the Entitlement LCM actions are defined and processed in request workflows that allow users to:

  • Create new entitlements

  • Provide source entitlement attribute values

  • Enrich the entitlement glossary

  • Modify existing entitlements.

Troubleshooting entitlements

Typical troubleshooting cases that can occur with entitlements are:

  • Entitlements aren’t being onboarded from the application.

  • Onboarded entitlements aren’t visible in the catalog.

  • Onboarded entitlements don’t have a display name.

  • Entitlements have been assigned to users but aren’t visible in the user’s access.

  • Duplicate entitlement assignments assigned to the user.