Entitlement Roles Details

The Entitlement Roles / Details page allows you to view more detailed review information. Some of the information within this area can be changed depending on the status of the review.

To open the Entitlement Roles / Details page:

From the Entitlement Roles list, select the Entitlement Role you want to view. The role's detail page is displayed.

Refer to the following sections for more information about each tab:

Modeling
Settings
Enrollments
Versions

Modeling Tab

When the Entitlement Roles / Details page is displayed, the Modeling tab is selected by default (see picture below).

Select one of the following options to learn more about each of the numbered areas on the tab:

1	Applications list	2	Options button
3	Filter button	4	Privileges, Configuration, and Ideal Access

Applications List

This area displays a list of applications that are considered allowed by the entitlement role. Applications can either be added or removed from the Entitlement Role manually or you can have Permission Assist recommend changes.

Options Button

The Options button in the upper right corner of the page provides the following options.

ACTIONS:

Option:	Description:
Recommend Changes	Use this option if you want Permission Assist to recommend changes to the Entitlement Role based on the most recent import data and participation.

EXPORT:

Option:	Description:
Excel	Allows you to download the Entitlement Role Details report which provides detailed information about the Entitlement Role, the enrolled Identities, and the permissions in either Excel or PDF format.
PDF

Filter Button

The filter button in the upper right corner of the tab - - allows you to change the list of permissions displayed based on the selected criteria. By default, all permissions are displayed. To filter the list, select and pick one or more of the following options.

NOTE: If you select more than one option, each option becomes an additional criteria that must be met for a permission to be displayed. For example, if you select the Only Recommended and the Only Configured options, a permission must be both recommended and configured to be displayed in the list.

Filter	Action
Only Recommended	When selected, this option shows the permissions that are recommended to be allowed based on a participation of 65% or more.
Only Configured	When selected, this option shows the permissions that have been granted through the modeling of ideal access. Permissions that have been configured will show as "Allowed" (see example below).
Only Uncommitted	When selected, this option shows the permissions that have been changed since the last committed version of the application within the Entitlement Role. Permissions that have changed but not yet committed are indicated with a symbol between the Configuration and Ideal Access columns (see example below).
Only New	When selected, this option shows the permissions that are new as of the most recent import.
Hide Unused	When selected, this option hides any permissions that have 0% participation, meaning no one enrolled in the Entitlement Role has been given this permission.
Show Absent	When selected, this option shows permissions that have been seen before but are now absent.

Privileges, Configuration, and Ideal Access

The permissions for the selected application are displayed in this area on the right side of the page. Within this area, there are three columns of information: Privileges, Configuration, and Ideal Access.

Column

Description

Privileges

Displays a list of all permissions within the application and the percentage of participation for each permission. To see whether a specific Identity has a permission or not, select the permission. The Privilege Enrollments page is displayed, which provides a list of all Identities in the Entitlement Role (see example below).

If an Identity has the permission, the Used column displays a check mark. If the Identity does not have the privilege, the Used column is blank.

Configuration

Allows you to model ideal configuration for each application within the Entitlement role. Permission Assist can help you model ideal configuration based on participation; however, you can also manually model ideal configuration by selecting one of the following buttons.

Option:	Description:
Allow	When the Allow button is displayed, it means the permission is not modeled as ideal access for this role, and it will be considered denied during a review. To allow the permission, select the Allow button. After selecting the Allow button, the Allowed button is displayed (see the Allowed picture below).
Allowed	When the Allowed button is displayed, it means the permission is modeled as ideal access for this role, and within a review, it will be considered allowed. To remove the configuration, select the Allowed button. After selecting the Allowed button, the Allow button is displayed, which means the permission is not modeled as ideal access for this role. NOTE: If a group enlistment is allowed due to inheritance through another group enlistment, it can not be overridden and denied.
Inherit	When a permission can be inherited from a group, but access to a group that includes this permission has not yet been granted, the Inherit button is displayed. To assign this permission, select an appropriate group enlistment that includes this permission and the permission will be granted through inheritance. If needed, you can override this, and explicitly assign this permission in some situations.
Inherited	When a permission is being inherited from a group, the Inherited button is displayed.
Deny	When a permission either is inherited or has the potential to be inherited, but is explicitly denied instead, the Deny button is displayed.

Image Descriptions:

Image

Description

Inheritance

When the inheritance image is displayed beside a button along with a number, it means that if the enlistment is selected or allowed, additional permissions will also be inherited (see example below).

If the image is displayed on the button itself, as in the examples below, it means the permission either is or can be inherited from a group. If the permission is allowed vs inherited, it could also indicate that the permission is a group that is allowed because it's inherited through being part of another group.

Broken Inheritance

When the broken inheritance image is displayed, it means that the permission could have been inherited from a group, but it was overridden and explicitly allowed. Changing the group-level permissions will no longer affect this permission. See example below.

Ideal Access

This column shows whether the configured access results in an allowed access or denied access to each permission in the Entitlement Role.

NOTE: If an Identity matches to multiple Entitlement Roles, their ultimate access across all Entitlement Roles is not reflected in this column. This column represents configured access for this Entitlement Role only. Permission Assist will resolve access across all Entitlement Roles when needed (reviews, personnel events, etc).

Settings Tab

The Settings tab defines some basic information, such as name and description, as well as other important information such as the conditions used to determine enrollment.

Field/Option	Description
Name	Enter a descriptive name of up to 650 characters for the role.
Description	Enter a longer more descriptive explanation of the Entitlement Role
Owner	Within Permission Assist, an Entitlement Role Owner may not always be the one making decisions about every application within the role, but they are the person ultimately responsible for making sure the Entitlement Role is set up and properly managed. For example, the owner may have application owners or a "role committee" decide which permissions are allowed or denied for each application. In these cases, the Entitlement Role Owner would still oversee the process and make sure the roles are properly defined, committed, and enabled within Permission Assist. Select this field to pick the owner from the list.
Conditions	Conditions are used to define who is automatically enrolled or who can be optionally enrolled in the Entitlement Role. The Conditions area (see example below) displays the conditions that have already been added to the Entitlement Role and allows you to add, change, or remove conditions.
Enabled	Select this option to enable or disable the role. Entitlement roles are included in reviews if they are enabled at the time the review is started. When the role in enabled, they can be used in when creating personnel events and reviews. Within a review, reviewers will see both a Review column and a Role column (as shown below). The Role column indicates which roles the user is allowed based on their role. Disabling the entitlement role will prevent the role from being used for personnel events or future reviews, but it will not remove it from reviews that have already been started.

Enrollments

The Enrollments tab displays a list of Identities that are enrolled in the Entitlement Role.

When an active Identity is added to a role, they are considered "enrolled" in the Entitlement Role. Identities are usually automatically enrolled based on the conditions defined within the Settings tab of the Entitlement Role. For more information about changing the conditions of a role, refer to Add or Change Conditions of an Existing Role

If you have a special project or situation, you can also manually add Identities to the Entitlement Role.

NOTE: If you've recently made a change to an Identity and you're noticing the changes are not yet reflected in the role, keep in mind that Identities are automatically updated daily based on the schedule set up in the Settings tab of the Directory Source. If you'd like to see the changes immediately, update the directory source manually.

Versions

The Versions tab allows you to view, track, and commit changes made to Entitlement Roles.

For more information, refer to: View and Commit Entitlement Role Versions