Prepare applications for entitlements

When you onboard a target application into Advanced Identity Cloud, it also pulls in the application’s entitlements. Each application’s account schema includes one or more attributes that define the account’s privileges, which the target system assigns to accounts. These attributes depend on other objects in the application, known as non-account objects. Non-account objects represent entities linked to the user entity in the target system. Examples of non-account objects are roles, groups, departments, permissions, and licenses. For example, in a Salesforce application, the group object property is mapped to the GroupIds field in the Advanced Identity Cloud user identity, which serve as the source for the account’s allowed entitlements.

The system later brings in any entitlement changes through reconciliation, the process of comparing and synchronizing identity data between the Identity Governance system and external target systems.

After you have pulled in the entitlements into Advanced Identity Cloud, you see that most applications in the application catalog have predefined entitlement configurations. You must first validate the application configuration by:

To validate the entitlement configuration and verify the account attribute:

When you onboard entitlements into Advanced Identity Cloud, they can have highly cryptic or technical names that make its purpose difficult to ascertain. To ensure user-friendly names appear when displaying accounts or entitlements, configure the application object types accordingly.

Administrators can enhance entitlements by adding meaningful business context, helping users understand their purpose and supporting Identity Governance in decision-making. This context is managed through the entitlement glossary, where administrators can add custom attributes in addition to the default ones.

Learn more in Managing the governance glossary.

Before running a reconciliation, make sure you have configured it to your requirements.