Gartner defines an entitlement as:
|An entitlement is the object in a system's security model that can be granted or associated to a user account to enable that account to perform (or in some cases prevent the performance of) some set of actions in that system. It was commonly accepted that this definition of entitlement referred to the highest-order grantable object in a system's security model, such as an Active Directory group membership or SAP role and not lower-order objects such as single-file permission setting.|
Definition by Ian Glazer, in Access Certification and Entitlement Management v1, September 9, 2009.
Entitlement management refers to a set of technologies and processes used to coherently manage security rights across an organization. The objectives are to reduce the cost of administration, to improve service and to ensure that users get exactly the security rights they need.
These objectives are attained by creating a set of robust, consistent processes to grant and revoke entitlements across multiple systems and applications:
It is important to differentiate between two concepts: roles and groups. Hitachi ID Systems uses these terms as follows:
Groups are assigned to accounts while roles are assigned to users. Groups can be assigned directly to accounts or indirectly, when a user is assigned a role that includes a group. Roles can be assigned directly to users or indirectly, when a parent role is assigned to a user.
Confusingly, within some systems and applications, groups are referred to as roles or by other names, such as privileges. For consistency, all such constructs, which exist on target systems and are assigned to accounts on those systems will be referred to as groups here.