After HelloID Provisioning has run an enforcement of the business rules, you can see which entitlements have been granted, and their current state, on the Entitlements page. You can also see which, if any, entitlements were blocked due to thresholds set on the target system.
Entitlement enforcement is closely linked to The User Account Lifecycle. We recommended reading this article before continuing.
Go to Business Rules > Entitlements to get started.
The first tab on the Entitlements page is the Granted tab. This displays all currently enforced entitlements.
Entitlement actions that are currently running or pending due to an enforcement are also displayed on this tab, but in italic text. (This is the same data shown on the Actions tab during an enforcement.) Running actions additionally show a Play icon on their Details button. See View running & pending entitlement actions.
View granted entitlement details
Select the relevant Details button to view recent entitlement actions, available entitlement actions, and logging information.
Select the Start Action button to choose from three available entitlement actions. These actions are also available in the Entitlements tab of the Persons Overview.
Available entitlement actions
Force update account
To force update accounts for a single account, select the relevant Force Update button.
To retry a failed grant action for a single entitlement, select the relevant Retry Grant button.
To perform a revoke action on a single entitlement, select the relevant Unmanage button. The entitlement is removed from the account in the target system, and all open and pending actions for it are canceled. The entitlement state in HelloID is effectively forgotten. Note, though, that this does not prevent the same entitlement from being granted again to the same target account as part of a business rule in the normal provisioning process.
This does not affect any aspect of the target account except the particular entitlement being revoked. All other granted entitlements remain in place. In comparison, if you remove the target account's Account entitlement from your business rules, the entire target account and all of its entitlements are revoked.
Accounts in dependent systems are not affected.
View granted sub-permissions
If a permission containing sub-permissions has been granted, select its Grid button to view the specific sub-permissions it contains:
You can also view the same information in the Persons overview. See Entitlements granted by sub-permissions.
Blocked entitlement actions
View blocked entitlement actions
If the number of modified entitlements exceeds a target system's thresholds, pending entitlement actions are blocked. Red warning triangles are displayed on the Entitlements navigation link and the Blocked tab.
Select the Blocked tab to see which target systems had blocked actions. In the example below, we attempted to grant 20 account entitlements, but the target system's threshold was set to 1. Thus, all 20 entitlements were blocked.
Select a system's Details button to see a detailed list of blocked entitlement actions for that system:
Resolve blocked entitlement actions
There are multiple strategies you can use to remediate blocked actions. The method that you choose depends on the situation.
- If you believe the operations that HelloID is attempting to take are due to an error in the data, then you will need to look at the source data to discern what may be the cause of the problem. For example, if there are too many pending revokes, your data may be missing personnel records.
- If you believe the pending operations are due to a misconfiguration of the business rules, you will need to revise those rules. Perhaps your business rule filters are too lax or too stringent.
- If the pending activity is legitimate, then your target system thresholds may be too low. You may need to increase them.
If the pending activity is legitimate, you may choose to manually approve the activity. To do so, select the system's Resume button.
Select the Yes button to confirm.
Receive email notifications
View running & pending entitlement actions
Immediately after you run an enforcement, in-progress actions are marked as Running on the Actions tab:
Pending actions that are waiting on dependencies are marked as Waiting:
As running and pending entitlement actions are resolved, they are moved from the Actions tab to the History tab.
View entitlement action history
Go to the History tab to view all completed entitlement actions. This includes data for the last 3 months.
For various reasons, an entitlement may not be granted successfully. Perhaps there was a drop in communication, or the generated account's username was too long, or some other reason. When an entitlement action encounters an error, this will be reflected in the Result column of the History tab.
To view the details of an entitlement action, select its Details button. It may take a few minutes for details to populate after an entitlement action finishes.
For PowerShell target systems, this dialog box displays all log messages. For Active Directory and Azure AD target systems, it displays only recent, high priority messages.
For a complete, unfiltered log, check your Agent logs.
Retry entitlement action
In the event of a failed entitlement action, select the blue Retry button to the right of the status to retry the enforcement process.
Export a report
Select the Export button to download a CSV report.
The data grids on this screen have a Refresh button. When new data is available, a lightning bolt appears inside it: . When this happens, click the button to refresh the data in the grid. Alternatively, select the Expand button and enable the Auto-Refresh toggle to have the grid automatically update itself.