Introduction
Without entitlements, business rules don't do anything. During the enforcement process, entitlements are what business rules give or take away from an end user, based on the specified rule conditions.
Entitlement types
There are five types of entitlement: Account, Account Access, Group Membership, Permission, and Sub-Permission. Not all target systems support all five types.
Account
A user account in the target system. When granted by HelloID Provisioning, a new account is created for qualifying Persons.
Accounts are created in a disabled state during the Account Create lifecycle stage.
Account Access
Grants access to user accounts after they have been created by the Account entitlement. This is a separate entitlement because organizations frequently want to issue disabled accounts prior to a user's start date, and then only activate the account when the user is onboarded.
Account access is granted during the Account Enable lifecycle stage.
Group Membership
Adds the user account to a selected group in the target system. Most target systems have a separate entitlement per available group. A group is not necessarily a HelloID group—unless HelloID is being used as the target system.
Note that when setting thresholds, Group Membership entitlements are subsumed under Permission threshold settings.
Permission (PowerShell target systems only)
Permissions are custom entitlements for PowerShell target systems. You can include whatever arbitrary PowerShell code you want (e.g., any queries to the target system's API). After you have created a permission, you assign it via a business rule like any other entitlement.
Permissions are created on the target PowerShell system's Permissions tab.
Sub-Permission (PowerShell target systems only)
A single standard permission can contain up to 100 sub-permissions, each of which grants its own specific entitlement. Sub-permissions are entirely optional. The most common use case is to alter target group memberships in response to department changes in Contracts. The main benefit is that sub-permissions can be altered while the Person remains in scope of the same business rule, under the umbrella of the same single standard permission.
For example, suppose you need to assign users to groups in your target PowerShell system, based on the department listed in their primary Contract. Suppose your organization has 20 departments.
- Using standard permissions, you would need to create 20 business rules each with its own standard permission and conditions. Whenever a Person's department changes, they would exit the scope of one business rule and enter another, causing the old entitlement to be revoked and the new one to be granted.
- By contrast, you can accomplish the same thing using a single standard permission with 20 sub-permissions. You would write a PowerShell script which reads the primary Contract's department variable and selects the sub-permission which grants the appropriate target group membership. Then, whenever a Person's department changes, the Update script is triggered. Thus, the sub-permissions are dynamically re-evaluated and target group memberships altered as needed. Throughout this process, the Person remains in scope of a single business rule with one standard permission. No manual intervention is required. The only change is the specific sub-permission(s) granted.
In this way, a single business rule containing a single standard permission with multiple sub-permissions can potentially replace dozens of separate business rules each containing a standard permission.
The specific sub-permission granted is displayed in the Persons Overview. See Entitlements granted by sub-permissions. Note that when assigning a standard permission with sub-permissions in a business rule, only the name of the standard permission is displayed, because sub-permissions aren't determined until enforcement.
Sub-permissions are created on the target PowerShell system's Permissions tab.
Add or modify an entitlement
You can add or modify entitlements while adding a new business rule or editing an existing one. You can only do so after you've added a target system.
- On the Entitlements tab of a business rule, select the target system containing the relevant entitlement. For example:
- Select the checkbox for each entitlement to add to the business rule. For example:
- Select the Configured Entitlements button to see a summary of all included entitlements:
- Your changes are auto-saved and the business rule is put into a Draft state. To apply your changes, Publish the business rule. The next time the rule is enforced, the entitlement will be granted to the relevant persons (group membership removed, account disabled or deleted, etc).
Remove an entitlement
- To remove an entitlement from a business rule, deselect its checkbox on the Entitlements tab:
- Your changes are auto-saved and the business rule is put into a Draft state. To apply your changes, Publish the business rule. The next time the rule is enforced, the entitlement will be revoked from the relevant persons (group membership removed, account disabled or deleted, etc).