--- title: Configure entitlement lifecycle management description: Enable and configure delegated entitlement lifecycle management with scopes and approval workflows component: pingoneaic page_id: pingoneaic:identity-governance:administration/entitlement-lifecycle-mgmt canonical_url: https://docs.pingidentity.com/pingoneaic/identity-governance/administration/entitlement-lifecycle-mgmt.html llms_txt: https://docs.pingidentity.com/pingoneaic/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md keywords: ["entitlement lifecycle management", "entitlement LCM", "delegated administration", "create entitlement", "modify entitlement", "scopes", "workflows"] section_ids: governance_personas: Governance personas enable_entitlement_lcm: Enable Entitlement LCM configure_authorization: Configure authorization tips_on_scopes: Tips on scopes add_scopes_and_assign_to_users: Add scopes and assign to users configure_entitlement_lifecycle_workflows: Configure entitlement lifecycle workflows troubleshooting_entitlements: Troubleshooting entitlements --- # Configure entitlement lifecycle management Entitlement lifecycle management (LCM) provides a type of delegated administration, allowing application owners, entitlement owners, and end users authorized with the proper scope permissions to manage entitlements within the applications available to them. By using Entitlement LCM, companies can keep entitlement attributes up-to-date, reducing the risk of outdated or inaccurate entitlements impacting decision making. Entitlement LCM also enforces policies by requiring approval workflows before any entitlement changes are applied. This prevents users from granting excessive permissions without oversight and ensures access remains aligned with organizational policies. ## Governance personas By default, governance administrators, application owners, entitlement owners, and end users with scoped permissions can manage entitlements in the system. These users have the following permissions: | Action | Admin | Application Owner | Entitlement Owner | End user | | ------------------------------- | ------------------------ | ------------------------ | ------------------------ | --------- | | View entitlement | [icon: check, set=fa]Yes | [icon: check, set=fa]Yes | [icon: check, set=fa]Yes | If scoped | | View users who have entitlement | [icon: check, set=fa]Yes | [icon: check, set=fa]Yes | [icon: check, set=fa]Yes | If scoped | | Create entitlement | [icon: check, set=fa]Yes | [icon: check, set=fa]Yes | [icon: times, set=fa]No | If scoped | | Modify entitlement | [icon: check, set=fa]Yes | [icon: check, set=fa]Yes | [icon: check, set=fa]Yes | If scoped | ## Enable Entitlement LCM Governance administrators must enable Entitlement LCM to activate the feature for their users. 1. In the Advanced Identity Cloud admin console, go to Governance > Requests. 2. On the Requests page, click the Settings tab. 3. In the Governance LCM section, click Activate. 4. In the Governance LCM modal, read what activating this feature entails, and click Next. 5. In the Governance LCM modal, click Entitlement LCM, and then click Activate. The governance LCM is now active on your tenant. ![Enable governance LCM on the Requests page.](../_images/governance-lcm-enable.png) ## Configure authorization Entitlement LCM enables administrators to delegate entitlement management to authorized users. Scope permissions have been enhanced to grant a specific subset of permissions for managing entitlements. The scope permissions are summarized as follows: | Permission | Applies to | Description | | ------------------- | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | View Applications | Applications | Allows the user to view matching applications. This scope is implicit when Create Entitlements is selected. | | Create Entitlements | Applications | Allows the user to create entitlements for the matching applications. | | View Entitlements | Entitlements | Allows the user to view matching entitlements. This scope is implicit when Modify Entitlements or View Grants is selected. | | Modify Entitlements | Entitlements | Allows the user to modify the matching entitlements. | | View Grants | Entitlements | Allows the user to view the other users who are assigned the entitlement. Ping Identity recommends that you always grant View Grants privileges so that users carrying out entitlement lifecycle management can see who has been assigned the entitlement. | ### Tips on scopes | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Scopes provide the permissions to let end users to act only on applications and entitlements to which they're permitted.For example, when you assign a scope for an application with the `Create Entitlements` permission, the end user can create entitlements for the application in that scope. However, this doesn't mean they can view entitlements. For that, they must have the `View Entitlements` permission. | The following rules apply to scope permission: * By default, scopes are disabled in Identity Governance. You can enable scopes using the API. Learn more in [Enable scopes](access-request-configure.html#enable-scopes). * If end users have scope permissions for view entitlements, they can view those entitlements regardless of the application permissions. * If end users have modify permissions, they can modify the entitlements you can see. * If end users have view grant permissions, they can view the users of the entitlements you can see. ### Add scopes and assign to users 1. Sign on to the Advanced Identity Cloud admin console as a tenant administrator. 2. In the Advanced Identity Cloud admin console, go to Governance > Scopes. 3. Click [icon: add, set=material, size=inline] New Scopes. 4. On the New Scope page, enter the following in the Details section: 1. Name: Enter the name for the scope. 2. Description: Enter a description for the scope. 3. Click Next. ![Scope details page displaying name and description](../_images/governance-lcm-scope-details.png) 5. On the Applies to page, define which users should be subject to this scope. Decide if you want to grant application or entitlement permissions to the end user. 1. Select if the All or Any condition must be met. 2. Select a property for this scoping rule. For example, select userName. 3. Select an operator for the scoping rule. For example, select contains. 4. Enter an entitlement. 5. If you want to add another rule, click [icon: add, set=material, size=inline] and repeat the steps. 6. Click Next. ![Scope applies to page defines the user to which the scope applies.](../_images/governance-lcm-scope-applies-to.png) 6. On the Access page, enter the following depending if you are granting applications or entitlement permissions: * For application permissions: 1. Select the Applications checkbox. 2. Click All Applications or Applications matching a filter. Click Applications matching a filter. 3. Select if All or Any condition must be met. 4. Select a property for this scoping rule. For example, select name. 5. Select an operator for the scoping rule. For example, select is. 6. Enter an application. 7. If you want to add another rule, click [icon: add, set=material, size=inline] and repeat the steps. 8. Click Create Entitlements. | | | | - | -------------------------------------------------------- | | | The View Applications scope permission is also included. | 9. Click Save. The end user now has the permission to create new entitlements for the matching application. ![Scope access displaying the filters for the application.](../_images/governance-lcm-scope-access-apps.png) * For entitlement permissions: 1. Select the Entitlements checkbox. 2. If you click Applications matching a filter, click All Entitlements or Entitlements matching a filter. 3. Select if the All or Any condition must be met. 4. Select a property for this scoping rule. For example, select userName. 5. Select an operator for the scoping rule. For example, select is. 6. Enter a user. 7. If you want to add another rule, click [icon: add, set=material, size=inline] and repeat the steps. 8. Click Modify Entitlements. | | | | - | -------------------------------------------------------- | | | The View Entitlements scope permission is also included. | 9. Click View Grants to allow the end user to view who has the entitlement. 10. Click Save. ![Scope access displaying the filters for the entitlement.](../_images/governance-lcm-scope-access-entitlements.png) ## Configure entitlement lifecycle workflows Identity Governance provides the out-of-the-box request types and workflows to enable authorized users to carry out Entitlement LCM tasks: | Request Type | Workflow | | ----------------- | ------------------ | | createEntitlement | Create Entitlement | | modifyEntitlement | Modify Entitlement | As with all other Identity Governance requests, the Entitlement LCM actions are defined and processed in request workflows that allow users to: * Create new entitlements * Provide source entitlement attribute values * Enrich the entitlement glossary * Modify existing entitlements. ## Troubleshooting entitlements Typical troubleshooting cases that can occur with entitlements are: * Entitlements aren't being onboarded from the application. * Onboarded entitlements aren't visible in the catalog. * Onboarded entitlements don't have a display name. * Entitlements have been assigned to users but aren't visible in the user's access. * Duplicate entitlement assignments assigned to the user.