swipe to navigate

Definition: what is an entitlement?

Gartner defines an entitlement as:

An entitlement is the object in a system's security model that can be granted or associated to a user account to enable that account to perform (or in some cases prevent the performance of) some set of actions in that system. It was commonly accepted that this definition of entitlement referred to the highest-order grantable object in a system's security model, such as an Active Directory group membership or SAP role and not lower-order objects such as single-file permission setting.

Definition by Ian Glazer, in Access Certification and Entitlement Management v1, September 9, 2009.

(login required)

Entitlement management refers to a set of technologies and processes used to coherently manage security rights across an organization. The objectives are to reduce the cost of administration, to improve service and to ensure that users get exactly the security rights they need.

These objectives are attained by creating a set of robust, consistent processes to grant and revoke entitlements across multiple systems and applications:

  1. Create and regularly update a consolidated catalog of entitlements.
  2. Define roles, so that entitlements can be assigned to users in sets that are easier for business users to understand.
  3. Enable self-service requests and approvals, so that decisions about entitlements can be made by business users with contextual knowledge, rather than by IT staff.
  4. Ensure that all access requests are approved by suitable stake-holders before entitlements are granted to users.
  5. Apply policy, such as risk scores and segregation of duties rules, to detect existing block requests for new access that would create unacceptably high business risk.
  6. Periodically invite business stake-holders to review entitlements and roles assigned to users and identify no-longer-appropriate ones for further examination and removal.

It is important to differentiate between two concepts: roles and groups. Hitachi ID Systems uses these terms as follows:

  1. Groups are objects on target systems to which users are attached and which are assigned application-specific access rights.
  2. Roles are objects that exist strictly within an IAM system. They are named collections of accounts, groups and other roles (i.e., they can be nested).
  3. Users are representations of people or personas on the IAM system and may be linked to multiple accounts on multiple target systems.

Groups are assigned to accounts while roles are assigned to users. Groups can be assigned directly to accounts or indirectly, when a user is assigned a role that includes a group or an account is assigned to a group which is a child of another group. Roles can be assigned directly to users or indirectly, when a parent role is assigned to a user.

Confusingly, within some systems and applications, groups are referred to as roles or by other names, such as privileges or profiles. For consistency, all such constructs, which exist on target systems and are assigned to accounts on those systems are referred to as groups by Hitachi ID and within Hitachi ID Password Manager.


Comment via LinkedIn