Entitlements Basics

An Entitlement Policy is defined for a subject (User, Role, or Group), and either grants (Grant Effect) or denies (Deny Effect) performing an Action on a Resource.

The Deny Effect (Entitlement Exception) is useful in cases where an Entitlement needs to be explicitly excluded from the set of the Subject’s Entitlements. The Deny Effect allows creating Entitlement Exceptions which simplifies the administration of Entitlement Policies.

In the example below, John will be granted Account Summary View, Account Transfer, and Bill Payment Entitlements, but will be denied E-Transfer which otherwise would have been inherited from the Finance Employee Role.

An Entitlement Policy with Deny Effect can be assigned to a User, Role or Group, and similar to Authorization Policies with Grant Effect is inherited by the Subjects in the lower levels of the hierarchy.  

Learn More

Entitlements Definitions

Subject

Performer of a task – or the Role or Group the performer of a task is assigned.​

The task the subject performs.​

The business entity the Action is performed on.​

An individual in the organization.

The role of a User in the organization – A User can have multiple Roles.

The department or team of a User in the organization.

Enterprise

The Enterprise at the highest level of the organizations hierarchy, managing all the Clients

An organization / company client of the Enterprise.

The rule for protecting a Resource – “Who” can perform what “Action” on what “Resource”.

Authorizing a privilege to a Subject

Unauthorizing a privilege to a Subject

Scroll to Top