Allow or Deny Entitlement Role Permissions

If you'd like to have Permission Assist update all of the applications and permissions within an entitlement role based on the most recent import data, refer to the following topic: Update Entitlement Roles (Realign Permissions)

To manually allow or deny permissions within a specific application, complete the following steps:

  1. From the Entitlement Roles list, select the Entitlement Role you want to change. The role's detail page is displayed. 

  2. Select the Add Application link at the bottom of the applications list (see picture below).

  3. Within the Modeling tab (which is displayed by default), select the application you want to change within the list. The permissions are displayed on the right side of the page (see picture below).

  4. For each privilege you want to allow or deny, use the following buttons:

    Option:

    Description:

    Allow

    When the Allow button is displayed, it means the permission is not modeled as ideal access for this role, and it will be considered denied during a review. To allow the permission, select the Allow button. After selecting the Allow button, the Allowed button is displayed (see the Allowed picture below).

    Allowed

    When the Allowed button is displayed, it means the permission is modeled as ideal access for this role, and within a review, it will be considered allowed. To remove the configuration, select the Allowed button. After selecting the Allowed button, the Allow button is displayed, which means the permission is not modeled as ideal access for this role.

    NOTE: If a group enlistment is allowed due to inheritance through another group enlistment, it can not be overridden and denied.

    Inherit

    When a permission can be inherited from a group, but access to a group that includes this permission has not yet been granted, the Inherit button is displayed. To assign this permission, select an appropriate group enlistment that includes this permission and the permission will be granted through inheritance.

    If needed, you can override this, and explicitly assign this permission in some situations.

    Inherited

    When a permission is being inherited from a group, the Inherited button is displayed.

    Deny

    		 When a permission either is inherited or has the potential to be inherited, but is explicitly denied instead, the Deny button is displayed.

     

    Image Descriptions:

    Image Description

    Inheritance

    When the inheritance image is displayed beside a button along with a number, it means that if the enlistment is selected or allowed, additional permissions will also be inherited (see example below).

    If the image is displayed on the button itself, as in the examples below, it means the permission either is or can be inherited from a group. If the permission is allowed vs inherited, it could also indicate that the permission is a group that is allowed because it's inherited through being part of another group.

    Broken Inheritance

    When the broken inheritance image is displayed, it means that the permission could have been inherited from a group, but it was overridden and explicitly allowed. Changing the group-level permissions will no longer affect this permission. See example below.

     

    Tip: To save time, permissions can be filtered by selecting the Filter button. The following options are displayed:

    Filter

    Action

    Only Recommended

    When selected, this option shows the permissions that are recommended to be allowed based on a participation of 65% or more.
    Only Configured

    When selected, this option shows the permissions that have been granted through the modeling of ideal access. Permissions that have been configured will show as "Allowed" (see example below).
    Only Uncommitted

    When selected, this option shows the permissions that have been changed since the last committed version of the application within the Entitlement Role. Permissions that have changed but not yet committed are indicated with a symbol between the Configuration and Ideal Access columns (see example below).

    Only New

    When selected, this option shows the permissions that are new as of the most recent import.

    Hide Unused

    When selected, this option hides any permissions that have 0% participation, meaning no one enrolled in the Entitlement Role has been given this permission.

    Show Absent

    When selected, this option shows permissions that have been seen before but are now absent.

  5. As changes are made, the number of changes is displayed to the right of the application name (see picture below).

  6. When all changes to the application are complete, commit the changes.