Entitlements Definitions and Basics

Definitions

Subject: Performer of a task – or the Role or Group the performer of a task is assigned.

Action: The task the subject performs

Resource: The business entity the Action is performed on.

User: An individual in the organization

Role: The role of a User in the organization – A User can have multiple Roles

Group: The department or team of a User in the organization

Enterprise: The Enterprise at the highest level of the organizations hierarchy, managing all the Clients

Client: An organization / company client of the Enterprise

Entitlement Policy: The rule for protecting a Resource – “Who” can perform what “Action” on what “Resource”

Grant Effect: Authorizing a privilege to a Subject

Deny Effect (Entitlement Exception): Unauthorizing a privilege to a Subject

Entitlements Basics

The image below depicts the definition of the Entitlement Policy along with an example:

An Entitlement Policy is defined for a subject (User, Role, or Group), and either grants (Grant Effect) or denies (Deny Effect) performing an Action on a Resource.

The Deny Effect (Entitlement Exception) is useful in cases where an Entitlement needs to be explicitly excluded from the set of the Subject’s Entitlements. The Deny Effect allows creating Entitlement Exceptions which simplifies the administration of Entitlement Policies.

In the example below, John will be granted Account Summary View, Account Transfer, and Bill Payment Entitlements, but will be denied E-Transfer which otherwise would have been inherited from the Finance Employee Role.   

An Entitlement Policy with Deny Effect can be assigned to a User, Role or Group, and similar to Entitlement Policies with Grant Effect is inherited by the Subjects in the lower levels of the hierarchy.