US English (US)
FR French
DE German
PL Polish
SE Swedish
FI Finnish

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

Please fill out the contact form below and we will reply as soon as possible.

English (US)
US English (US)
FR French
DE German
PL Polish
SE Swedish
FI Finnish
  • Log in
  • Home
  • Identity Governance and Administration (IGA)
  • IGA solution library
  • Processes and use cases
  • Use case library
  • Access right management

Manage entitlements

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

Please fill out the contact form below and we will reply as soon as possible.

  • Service Management
    Matrix42 Professional Solution Matrix42 Core Solution Enterprise Service Management Matrix42 Intelligence
  • Identity Governance and Administration (IGA)
    IGA overview IGA solution library
  • Platform
    ESM ESS2 ESS Efecte Chat for Service Management Integrations Add-ons
  • Release Notes for M42 Professional, IGA, Conversational AI
    2026.1 2025.3 2025.2 2025.1 2024.2 2024.1 2023.4 2023.3 2023.2 2023.1 2022.4 2022.3 Release Information and Policies
  • Other Material
    Terms & Documentation Guidelines Accessibility Statements
  • Services
+ More

    • Service Management

    • Identity Governance and Administration (IGA)

    • Platform

    • Release Notes for M42 Professional, IGA, Conversational AI

    • Other Material

    • Services

Manage entitlements

Manage entitlements


Manage entitlements use case is the most important use case for access right management (ARM) process, but also to all other IGA processes and use cases are relying on it. This use case is for admin users to be able to maintain, create / update and remove access rights from IGA solution and manage access right information and settings. 

Basically, just implementing this use case customer is able to create manual type access rights, add additional access right information, and report current status for all access rights and users in their directory. When combining this use case to another use cases, like for example approvals, more settings becomes available. 

Entitlement is one single access right group, which is for example read from the customers directory, it can be created manually or imported by using one-time imports. When you combine several entitlements, it becomes business role. 



Use case description


This use case is for all IGA packages, but please notice that this use can can be expanded with other IGA packages use cases. 

* User lifecycle management
** Governance
*** Automation & provisioning
**** Expanded access right management


 

Description

Overview

IGA solution is centralized point for user lifecycle and access right management, this use case describes how IGA Admin can manage entitlements.

Entitlement is an item that reflex one access right, that can be managed automatically or manually. 

Information to entitlement can be read also from directories or applications (groups) and IGA Admin can add additional information, manage Self-Service information, and needed approval levels etc. 

Operators

IGA solution
IGA Admin

Prerequisites

Customer has pointed IGA admin role to at least one person, preferably to two persons. Admins are managed by adding users to Efecte_IGA_Admins Directory Group.

Result

Entitlement is created, updated, or inactivated. IGA Admin can manage entitlement information, relations, Self-Service information, approval levels and ownership's. 
Operating chain for automatic provisioning type of entitlements
  1. Groups located in directories or applications are read automatically into entitlements
    • One group becomes one entitlement
    • Customer can define attribute mappings during definition phase, and if for example privilege accesses are managed entitlement type is defined to be privilege for example based on information found from the group or based on OU-path. 
      • Entitlement types are listed in IGA solution description
    • Unique ID (like for example ObjectGUID) is used for identifying groups and entitlements between IGA solution and the directory/application

  2. IGA admin adds / changes into the entitlement (which has been read from the directory/application and which type is automatic) missing mandatory and optional information, like for example friendly name, description, approval levels, owners, approvers, visibility in the Self-Service etc.  
    • Full list of attributes is available in IGA solution description

  3. If the group has been deleted from the directory/application, it's status will change into deleted and it will be hidden 

  4. IGA admin can report and audit entitlement related information by creating own reports or using ready-made reports and dashboards like for example, 
    • Entitlements published into Self-Service
    • Entitlements missing mandatory information
    • Users attached to the entitlement (group memberships)
    • Entitlements with most users attached
    • Entitlements with none users attached
    • Request and approval information, when entitlement has been requested or approved/declined from the Self-Service
    • Deleted entitlements

  5. IGA admin can manage entitlement information at anytime, and if there are any exceptions when reading entitlement information from the directory/application or during Self-Service request-, or approvals IGA solution generated task to IGA admin for further investigation. 

  6. IGA admin can save or cancel changes

  7. Auditing details are saved
Operating chain for manual provisioning type of entitlements
  1. IGA admin selects new from the entitlement view

  2. IGA admin adds / changes into the entitlement (which type is manual) missing mandatory and optional information, like for example friendly name, description, approval levels, owners, approvers, visibility in the Self-Service etc. 
    • Full list of attributes is available in IGA solution description

  3. IGA admin can define when manual type of entitlements are requested, if the request is sent via email, admin task is generated to support group or it is delivered to another application (usually as a ticket to customers ITSM solution)

  4. IGA admin can save or cancel the changes

  5. Auditing details are saved 
Operating chain for combined provisioning type of entitlements
  1. Combined type of entitlements are always first read from the directory / application (check operating chain for automatic provisioning type of entitlements).

  2. After all needed groups can be found as entitlements, IGA admin can change provisioning type to be combined by opening the entitlement.
    • Combined provisioning means that user-group membership is automatically provisioned to the directory / application and manual ticket / email has been sent for manual actions. 

  3. IGA admin can now define if manual request is sent via email or as a ticket to support group

  4. After both manual and automatic provisioning are performed successfully, request is closed. 
    • If one of the provisioning is not successful, both requests are cancelled 

  5. Auditing details are saved.
Reporting / auditing entitlements

IGA solution contains ready-made views and dashboards for reporting and auditing information related to entitlements (access rights) and IGA admins can easily create / modify / save / delete more personal reports and/or share them with others.

It is important to notice, that needed reports vary according to how long the IGA solution has been used, meaning that right after solution has taken into production use reporting is more focused to analyze current status of access rights and guides IGA admins to start publishing access rights into the request catalog in correct order etc. 

  • List of all normal type of entitlements
  • Users attached to the entitlement (group memberships)
  • Entitlements with most users attached - Entitlements with none users attached 
  • Entitlements missing mandatory information (at the begin basically all entitlements, before mandatory information is fulfilled) 

When end-users start requesting access rights from Self-Service, also following views and dashboards becomes available,  

  • Entitlements published into Self-Service
  • New entitlements read from directory 
  • Request and approval information, when entitlement has been requested/removed or approved/declined from the Self-Service
  • Deleted / hidden entitlements
  • Entitlements based on provisioning type

Following reports become available when automation is added by using automated rules for granting accesses automatically to users based on their title, cost center or organizational unit information (check also each use case for more detailed information about reporting).

  • Entitlements used only in automated rules***
  • Automated rules without any attached entitlements***
  • Entitlements based on directory / application (if several connectors implemented towards different directories or applications)***

When governance processes related use cases are taken into use, following views and dashboards for reporting becomes available (check also each use case for more detailed information about reporting), 

  • Entitlements related to toxic combinations**
  • Entitlements being re-certificated** 
  • Entitlements based on risk level**

Extended access right management process brings even more ready-made views and dashboards for reporting, 

  • Entitlements based on type (normal-, physical-, privilege-, or technical)****
  • Request and approval information also related to physical-, privilege-, or technical access right requests, when entitlement has been requested/removed or approved/declined from the Self-Service****
IGA admin actions

IGA admin actions are tasks which customers future IGA admin needs to perform, maintain and monitor, either as a one time tasks right after Go-Live's or daily / weekly tasks after IGA solution has being used for a while. 

After Go-Live's

  • Update entitlement information (friendly name, description, related application)
    • Add needed approval level to entitlements and publish them which users need to be able to request from Self-Service to request access right service.
    • Ready-made reports are helping IGA admin to select most used entitlement and start updating information based on usage or based entitlements related to some organizational unit, etc. 
    • This task will take time from IGA admins, but needed time will continuously decrease and change to a weekly task when only new entitlements are found or existing ones needs updates. 

  • Analyze different users access rights, and start building business roles, after there is enough information added to entitlements.

When users start requesting / removing access rights from Self-Service, IGA admin needs to follow-up and act in cases where manual interference in required.

  • Monitoring IGA admin tasks from IGA solution on a daily basis which will tell IGA admins if there are any issues in the processes or provisioning. 
  • Updating information to new entitlements read from the directory or application

Related datacards

IGA Entitlement

Delete

Expansion possibilities


Expansion possibilities are categorized in three category, but it is always important to validate if requested change has affect to the delivery schedule or work estimations. 


Category Description
Small 
(less than hour) 		Small changes does not usually affect to the delivery schedule or work estimations and these changes can be done also by IGA admins, 
  • Attribute naming 
  • Info text's 
  • Add new email notifications 
Medium 
(0,5 - 2 work days) 		Medium changes can be for example, 
  • New services to Self-Service
  • New connector (new customer directory)
Large
(more than 2 work days) 		Large changes usually takes longer time, since they require more detailed definition-, and testing work. For managing entitlements usually larger changes are new use cases which are expansions to the customers existing IGA solution 
  • Complex approval process
  • Privilege access right management 
  • Physical access right management 
  • Manage service accounts
  • Risk level calculation 
  • Manage entitlement lifecycle
  • Customer specific use cases


Delete

Relations & configuration instructions


Relations to other use cases, 

Request & remove access rights - users are able to request entitlements from Self-Service

Approval & delegation - user are able to approve entitlement request and delegate approval responsibilities

Audits & reports - IGA admins can create / update / remove /share reports, views and dashboards, or use ready-made reports.

Manage IGA users - Accesses to IGA solution and Self-Service are managed as entitlements.

Manage applications - entitlements are always related to application, service, database etc. 

Provisioning / de-provisioning - entitlements can be provisioned automatically, manually or by combining these two methods

Manage business roles - business roles can contain entitlements or sub-roles

Manage IGA accounts - entitlement is always related to users account 

Manage request catalog - entitlements can be published to Self-Service for end users to be able request them

Manage user lifecycle, add new users, update user information and update departing user information - are use cases where entitlements are granted, updated and removed automatically based on changes in received user information, for example during user creation birth rights are granted automatically. 

Manage data imports - entitlements can be imported using one-time imports

Manage automated rules - user can get entitlements automatically using attribute-based access controls (ABAC), role-based access controls (RBAC) and organizational-based access controls (OrBAC)

Re-certification - entitlements can be re-certificated, meaning that re-approval is sent to Self-Service for users review 

Reconciliation - entitlement has group members which are not allowed, usually added straight to the directory

Manage toxic combinations - entitlements can create toxic combination which is prevented to be granted to users

Risk level calculation - users risk value is calculated based on related entitlement risk value

Lock user account - when users all accounts and access rights are immediately disabled, entitlements are removed or restored after incident has been solved

Manage privilege accesses - entitlement type is set to privilege

Manage physical accesses - entitlement type is set to physical

Manage entitlement lifecycle & create update entitlements - use cases for creating, updating and removing access right groups to/from directories or applications.


Relations to other data cards, 

Data import
Person
Identity Storage*
IGA Admin Task
IGA Account
IGA Business Roles
IGA Service Request
IGA Request Catalog
IGA Re-certification
IGA Automated Rules**
IGA Toxic Combinations**


Delete

Notice! 

Configuration instructions for expanded access right management related use cases, which are expanding entitlement management use case can be found under physical access right management and privilege access right management use cases. 


1. Configuration instructions

  1. Configure scheduled-based provisioning task to read account data to IGA account data card and group data to IGA entitlement data card
  2. Configure related use cases according to their configuration instructions


1.1 Unit testing instructions

  1. Read groups from the customer directory and validate that data is read to correct attributes
  2. Create manual type entitlements
  3. Publish entitlements to Self-Service, but make sure that MyServices in Self-Service are configured according to related use cases
  4. Make sure all reports and dashboards are showing information correctly
  5. Check that IGA access right records are created correctly based on group membership connections


Delete

System and user approval testing instructions


In this chapter are described instructions and preparation tasks for testing manage entitlement use case. 

Delete

Preparation tasks for both testing phases


1. Create 10 test groups into the directory for both testing phases (total 20 groups)

2. Create also test users 5 for each testing phase (total 10 users) and create couple group membership connections for validating that relations are also read correctly

3. Wait until scheduling has read the groups as entitlements, or run provisioning task manually to get group information immediately. 


System testing

1. Read definition documentation and create needed customer specific test cases

2. Make sure all preparation tasks are completed (including tasks on customer responsibility)

3. Test also that provisioning task can be run manually

4. Check that attributes related to the groups are read into correct attributes to IGA entitlement data card

5. Check that group membership relations are shown correctly

6. Check that IGA access right records are created correctly based on existing group membership connections

7. Create categories for request catalog (check instructions from here)

8. Add user friendly name, description, application, approval level + approvers, and publish entitlements into Self-Service

9. Create manual type entitlements and publish them also into Self-Service

10. Validate from Self-Service that entitlements are showing correctly in request access right services

11. Validate from Self-Service that entitlements and group connections are showing correctly in remove access right services

12. Inactivate & remove entitlements with and without group membership connections

13. Check that views, dashboards and reports are showing correctly


User approval testing

1. Read definition documentation and create needed customer specific test cases

2. Make sure all preparation tasks are completed (including tasks on vendors responsibility)

3. Check that attributes related to the groups are read into correct attributes to IGA entitlement data card

4. Check that group membership connections are read correctly

5. Check that IGA access right records are created correctly based on existing group membership connections

6. Create categories for request catalog (check instructions from here)

7. Add user friendly name, description, application, approval level + approvers, and publish entitlements into Self-Service

8. Create manual type entitlements and publish them also into Self-Service

9. Validate from Self-Service that entitlements are showing correctly in request access right services 

10. Validate from Self-Service that entitlements and group connections are showing correctly in remove access right services

11. Inactivate & remove entitlements with and without group membership connections

12. Check that views, dashboards and reports are showing correctly

Delete


entitlements manage

Was this article helpful?

Yes
No
Give feedback about this article

Related Articles

  • Manage request catalog
  • Manage Administration Tasks
  • Manage IGA Accounts

Copyright 2026 – Matrix42 Professional.

Matrix42 homepage


Knowledge Base Software powered by Helpjuice

0
0
Expand