Skip to main content


Permission entitlement

Permissions are custom Entitlements for PowerShell target systems and PowerShell v2 target systems. Their most common use case is to add target user accounts to groups, akin to Group Membership entitlements in Active Directory target systems and Azure AD target systems. However, permissions can execute any PowerShell code in the target system. Thus, adding target user accounts to groups is only one possible use case. After you have created a permission, you assign it via Business rules like any other entitlement.

When granted during the Grant step of Enforcement, executes the permission's Grant code.

When updated during the Update step, executes the permission's Update code. This also occurs when you Force update permissions.

When revoked during the Revoke step, executes the permission's Revoke code.

For more information, see Permissions.

Sub-permission entitlement

Each standard permission can optionally contain up to 100 sub-permissions, which are also known as dynamic permissions. They are dynamic because the specific sub-permission can change while the Person remains in scope of the same business rule, granted the same permission entitlement.

For more information, see Sub-permissions.