Without entitlements, business rules won't do anything. During the enforcement process, entitlements are what business rules give or take away from an end user, based on the specified rule conditions. These can be target system accounts, target system account access, target system group memberships, and so on.
The available entitlements depend on the selected target system, and can vary from one to another. In general, however, there are four basic entitlements:
A user account in the target system. When granted by HelloID Provisioning, a new account is created for qualifying Persons. Accounts are created in a disabled state, until access is granted by the Account Access entitlement.
- Account Access
Grants access to user accounts after they have been created by the Account entitlement. This is a separate entitlement because organizations frequently want to issue disabled accounts prior to a user's start date, and then only activate the account when the user is onboarded. Read more about the user account lifecycle.
- Group Membership
Adds the user account to a selected group in the target system. Most target systems have a separate entitlement per available group. Note that a group is not necessarily a HelloID group—unless HelloID is being used as the target system.
Permissions are essentially custom entitlements, or in other words, a "catch-all" for any entitlement outside of the default Account, Account Access, and Group Membership options. You can write a PowerShell script to perform any action supported by the target system's API, and then assign it like you would the above entitlements. Permissions are defined on the target system's Permissions tab.
Add or modify an entitlement
You can add or modify entitlements while adding a new business rule or editing an existing one. You can only do so after you've added a target system.
Select the plus (+) button in the Entitlements section. This will bring up a list of your configured target systems.
Select the target system for which you want to add the entitlement. This will expand the view downwards and display a list of entitlements available for the selected system.
Select the plus (+) button next to the entitlements that you wish to apply as part of this business rule. Then select the Close button to confirm. The selected entitlements appear on the business rule page:
Select the Save button to save the rule to draft, or the Save & Publish button. Only published rules will be run during an enforcement.
Delete an entitlement
To delete an entitlement from a business rule, select its trashcan icon, and then the Save or Save & Publish button (see above for more info). The next time the rule is enforced, the deleted entitlement will be removed from the end users (group membership removed, account disabled or deleted, etc).