LogoLogo
3.1.6
3.1.6
  • Getting Started
    • What is Cymmetri?
    • Release Notes
      • 3.0.1-Beta
      • 3.0.2-Beta
      • 3.0.3-Beta
      • 3.0.4-Beta
      • 3.0.5-Beta
      • 3.0.6-Beta
      • 3.0.7-Beta
      • 3.0.8-Beta
      • 3.0.9-Beta
      • 3.0.10-Beta
      • 3.0.11-Beta
      • 3.0.12-Beta
      • 3.1.0 - Product Release
      • 3.1.1-Beta
      • 3.1.2 - Product Release
      • 3.1.3-Beta
      • 3.1.4-Beta
      • 3.1.5-Beta
      • 3.1.6 -Beta
      • 3.1.7 - Product Release
      • 3.0.x Consolidated
      • 3.1.x Consolidated
    • Starting your Cymmetri Trial
    • Admin Dashboard
    • Accessing Cymmetri
    • Supported Web Browsers
    • Cymmetri Error Codes
    • Help
    • Personalization
      • General Config
      • Admins
      • Masters in Cymmetri
      • Personalize Notification Templates
      • Tenant Branding
      • Custom Attributes
      • API Client
      • Batch Tasks
      • API Extension
    • Global Search
  • Identity Hub
    • Managing Users and Groups
      • User Management
      • User Detail
      • Create Users
      • Edit Users
      • Create Groups
      • Importing Users
      • Assigning Users to Groups
      • Delegation
        • Setting up Delegation
        • Delegating Work to Delegatee
        • Accepting Delegation
      • Suspended Users
      • Archived Users
      • All Users Session
    • Authentication
      • Identity Provider
        • Internal IDP
          • Introduction
          • Internal Identity Provider Configuration: Cymmetri
          • Internal Identity Provider Configuration: Active Directory
          • Internal Identity Provider Configuration: LDAP
        • External IDP
          • Introduction
          • External Identity Provider Configuration - Google IDP
          • External Identity Provider Configuration - Azure IDP
          • External Identity Provider Configuration - Salesforce IDP
      • Service Provider
      • Authentication Rules
      • Password Policy
      • Global Auth Policy
      • Adaptive
    • Attribute Setting
    • Password Filter
    • Logs
      • Audit Log
      • Import History
      • Scheduler History
  • Lifecycle Management
    • Application Management
      • Support for Application Management
      • Getting Started
        • Introduction to Application Management
        • Adding Applications to be managed by Cymmetri
        • Assigning Applications to End Users
        • Application Detail
        • Dynamic Forms
        • Configuring Connector Server
        • 360 Degree Recon
      • Provisioning How to
        • Cymmetri Connector List
        • Supported Provisioning Operations
        • Azure Provisioning
        • Active Directory (AD) Provisioning
        • Google Workspace Provisioning
        • LDAP Provisioning
        • Powershell Provisioning
        • REST Connector Provisioning
        • SCIM v2.0 Provisioning with Basic Authentication
        • SCIM 2.0 with Bearer Authentication
        • SCIM 2.0 with Fixed Bearer
        • Github Provisioning
        • ServiceNow Provisioning
        • AMAYA
        • HRMS
          • Darwin Box
        • Database Provisioning
        • CSV Directory (Flat-file)
        • Managing Manual Application Assignments
        • SOAP Connector (XML)
        • Integration with Service Desk Management Systems
      • Reconciliation How to
        • Configuring Reconciliation Process
      • Rules
        • Provisioning
        • Deprovisioning
    • Workflow Management
      • Workflow Configuration
      • Workflow Rules
      • Pending Workflows
      • Workflows List
    • Teams Config
    • Configuring Webhooks
    • On Demand Access
  • Single Sign On
    • Introduction
    • SSO Configuration
      • SAML 2.0 Based SSO
      • API Based SSO
      • OpenID Connect Based SSO
    • Multifactor Authentication(MFA)
      • Introduction
      • Cymmetri Authenticator
      • Push Authenticator
      • Google Authenticator
      • SMS Authenticator
      • Secret Questions
      • FIDO Authenticator
      • Admin MFA Setting
    • Passwordless
      • Introduction
      • TOTP Based
      • OTP Based
      • Consent Based
      • FIDO Based
  • My Workspace
    • Getting Started
      • Introduction
      • First Time User Registration
      • End User Login Process
      • Forgot Password & Unlock Account
      • User Settings
    • How to use the My Workspace
      • Dashboard
      • My Access
      • Inbox
      • Team
      • On Behalf
  • Privileged Access Management
    • PAM Administration
      • Introduction to Privilege Access Management (PAM)
      • How to Access PAM in Cymmetri
      • Sub-Sections of PAM
      • Steps to configure PAM Server
      • Adding a device/ server in PAM
      • Vault User
      • Vaulting Configuration
      • Break Glass Configuration
      • PAM Reports and PAM History
      • Dormancy Disable Config
    • PAM Usage
      • Assign a server to a user
      • Access the server
  • Governance
    • Compliance Management
      • IGA Policy Violations
    • Insights
      • Reports
      • Risk
      • Management Dashboards
        • CISO Dashboard
        • CRO Dashboard
      • Industry Compliance
    • Access Certification
      • Setting up and managing Access Reviews
    • Recommendation Engine
    • Role Management
      • Role Mining
      • Entitlements
      • Managing Roles in Cymmetri
    • Segregation Of Duties (SOD)
  • Self-Service App
  • Analytics
    • Cymmetri Analytics
Powered by GitBook

Cymmetri.com

On this page
  • Key elements about entitlements
  • Examples of entitlements
  • Provisioning of Entitlements
  • Discover Entitlements
  • Role Definitions

Was this helpful?

Export as PDF
  1. Governance
  2. Role Management

Entitlements

Entitlements refer to the permissions or rights granted to a user or group to access specific resources or perform certain actions within a system. These entitlements are typically defined based on the user's role, job function, or other relevant attributes associated with the user.

Key elements about entitlements

Authorization: Entitlements are closely tied to authorization, which is the process of determining whether a user is allowed to perform a specific action. Access Control: Entitlements are a fundamental component of access control, ensuring that only authorized individuals can access sensitive information or systems. Role-Based Access Control (RBAC): Entitlements are often assigned based on a user's role within an organization, making it easier to manage access permissions for large groups of users. Least Privilege Principle: The principle of least privilege states that users should be granted only the minimum entitlements necessary to perform their job duties, reducing the risk of unauthorized access. Entitlement Management: This refers to the process of managing and controlling entitlements throughout their lifecycle, including granting, revoking, and auditing.

Examples of entitlements

  • A sales representative might have entitlement to access customer data and place orders.

  • A system administrator might have entitlement to modify system settings and troubleshoot issues.

  • A guest user might have entitlement to view public content on a website but not to make purchases.

  • By effectively managing entitlements, organizations can improve security, compliance, and efficiency.

Provisioning of Entitlements

In Cymmetri, the ability to provide an object (such as a user or group) access to a resource (application, group, role, permission, privileged system) is called provisioning of entitlements.

Broadly classified, the following are the entitlements possible for access based provisioning:

  • Business Role

  • Group

  • Application

  • Application Role

  • Privileged System

  • Cymmetri Role

In Cymmetri the above mentioned entitlements are provisioned to either:

  • Cymmetri Users

  • Cymmetri Groups

Discover Entitlements

Cymmetri provides a framework for identifying entitlements within various target applications. The most common of these are accounts or user objects in the target system. The other elements that can be detected are group or group objects and roles.

For account discovery, various Cymmetri connectors provide ready made detection capability. The most common among them are-

  2. Azure AD

  3. REST API Connector

  4. AMAYA Connector

  5. SAP HANA Connector

  6. SCIM Connectors

After discovery of identities, Cymmetri can be configured to perform the corresponding action such as-

  1. Assign or Link the Cymmetri user and Target system account

  2. Unassign or Unlink the Cymmetri and Target system account

Role Definitions

Cymmetri has ability to manage Business and IT roles through its interface.

The Business Roles can be defined as part of the Cymmetri RBAC Master and SoD policies. Similarly, the Application roles or IT roles can be defined at each application as its own master. Generally, the application roles are maintained at application side and Cymmetri keeps a reference for the target role entitlement.

Role Update

Cymmetri allows direct syncing with target system to fetch the role master. However, in case the target system does not support APIs for role management, the roles can be added or modified based on bulk import or manually adding or updating in Cymmetri.

Audit of Change History

Every role definition is saved in the Cymmetri audit log. Changes to the definition are audited and previous role configuration can be restored as needed.

Was this helpful?

Apart from the standard reconciliation approach, Cymmetri also provides a to discover identities / accounts which do not co-relate with Cymmetri records or vice-versa.

The possible scenarios for identity state can be referred on the which are in turn based on the .

Active Directory
360 degree reconciliation
conditions
supported operations