Documentation

Manage identity risk and cloud access with Entitle

Entitle logo A workflow for Entitle

Scope of this guide

Access accumulates. Roles get granted for projects that end, permissions approved during incidents never get revoked, and cloud entitlements pile up outside any centralized governance process. This workflow guides security and IT administrators through visualizing identity risk, revoking overprivileged access, managing just-in-time (JIT) access requests, governing cloud entitlements with Cloud Infrastructure Entitlement Management (CIEM), and running structured access reviews to maintain least privilege over time.

Prerequisites

  • You have administrator permissions in Entitle.
  • Entitle is connected to at least one integration (SaaS, cloud, or on-premises).
  • Cloud integrations (AWS, GCP, Azure) are configured if you plan to govern cloud entitlements with CIEM.
  • Your identity provider (IdP) is connected to Entitle if you plan to run access review campaigns.

Why is this important

Every organization has over-privileged accounts, not because anyone made a mistake, but because access is rarely cleaned up as systematically as it's granted. Cloud environments make this worse: permissions granted in AWS, GCP, and Azure often fall outside any centralized governance process, creating entitlement sprawl that's invisible until something goes wrong. This workflow gives you the tools to find that exposure, act on it, and establish the ongoing review cadence that keeps it from returning.

Workflow summary

StepAction
1Visualize identity risk with the permissions graph
2Investigate and revoke over-privileged access
3Manage JIT access requests
4Govern cloud entitlements with CIEM
5Run structured access reviews

Steps

Step 1: Visualize identity risk with the permissions graph

The permissions graph maps the relationships between users, accounts, integrations, resources, and roles — showing you not just who has access, but how they got it, whether it's direct or inherited, and where unexpected access chains exist. Overprivileged accounts and toxic permission combinations become visible at a glance rather than buried in an export.

  1. Sign in to app.beyondtrust.io. The BeyondTrust Pathfinder Home displays.
  2. At the top right of the page, select your site from the drop-down.
  3. Select the Entitle tile from your list of available applications.
  4. From the top left menu, select Permissions. The permissions graph displays the full permission landscape across all connected integrations.
  5. Review the graph key at the top of the screen. It shows the total count of users, accounts, integrations, resources, and roles in the current view. Permission path lines are color-coded: purple for direct access, green for indirect access, and yellow for both.
  6. Apply the User filter to focus the graph on a specific individual or group. Use this to investigate the full access footprint of high-risk or high-privilege accounts.
  7. Apply the Integration filter to scope the view to a specific cloud platform or SaaS application — for example, all permissions in AWS or GitHub.
  8. Apply the Resource and Role filters together to find everyone who holds a specific level of access to a sensitive resource — for example, all users with Admin access to your production database.
  9. Review the graph for indirect access paths (green lines). These represent permissions inherited through group membership or role chaining. Indirect access cannot be revoked directly — it must be addressed at the source role or group.
  10. Use the zoom and center controls to navigate the graph when reviewing large or complex permission sets.

Take it further with Insights

If your organization also uses Insights, risk and sensitivity indicators appear directly in the Entitle permissions graph, surfacing which users carry elevated risk scores based on their behavior and entitlement profile. This lets you prioritize which permissions to investigate first, rather than manually working through every overprivileged account. See Risk and sensitivity indicators for setup and usage.

Step 2: Investigate and revoke overprivileged access

The permissions table gives you a filterable, sortable, exportable view of every permission in your environment, with the ability to revoke individual or bulk permissions directly. Filtering for permissions that never expire surfaces your standing access candidates: accounts that are permanently privileged, not because they still need to be, but because the access was never cleaned up.

  1. From the Permissions screen, select the table view toggle to switch from the graph to the table.
  2. Apply the Expiration: Never filter to surface all permissions with no end date. These are standing access grants, the highest-priority targets for review and potential revocation.
  3. Apply the Permission type: External filter to find permissions granted directly in the source application, outside of Entitle's JIT request or birthright policy processes. External permissions represent ungoverned access that Entitle discovered but did not grant.
  4. Use the Integration and Role filters together to focus on your most sensitive environments. For example, focus on all Admin-level permissions in AWS, or all Write permissions in your production Snowflake instance.
  5. Sort by Created ascending to surface the oldest permissions first. Long-lived permissions with no expiration and an old creation date are strong indicators of access that was granted for a specific need and never cleaned up.
  6. Select Download as CSV to export the filtered view for offline analysis, audit documentation, or stakeholder review.
  7. To revoke an individual permission, select Revoke in the relevant row. Review the confirmation screen. It shows if revoking this permission also affects other users who share the same account.
  8. To revoke permissions in bulk, select the checkboxes for the target rows and select Revoke selected. Step through the confirmation screens, which flag any additional affected permissions, any birthright policy grants (temporarily revoked until the next sync), and any permissions that cannot be revoked automatically.
  9. For permissions that cannot be revoked through Entitle — indirect permissions or permissions on unmanaged accounts — note the relevant integration and address the access directly in the source system.

Step 3: Manage JIT access requests

JIT access is the operational engine of zero standing privilege. Instead of holding permanent permissions to sensitive resources, users request access when they need it, an approver confirms it's appropriate, and access is automatically revoked when the time limit expires. The requests history and audit log let you confirm the process is working, that access is being provisioned correctly, expiring as expected, and that the right people are approving the right requests.

  1. From the top left menu, select Requests history. This shows all access requests processed through Entitle, including status, requester, resource, role, duration, approver, and expiration.
  2. Apply filters to focus on the requests most relevant to your review: by integration, requester, status, or date range.
  3. For any active JIT grant, verify that the expiration date aligns with the duration defined in the relevant approval workflow. A permission showing Never as an expiration that originated from a JIT request may indicate a misconfigured workflow duration. Investigate and correct the workflow if needed.
  4. For approved requests, confirm that the approver matches the approver type defined in the workflow. A request approved outside the expected approver chain may indicate a workflow configuration issue.
  5. For active requests that appear to no longer be needed, navigate to the Permissions table, locate the permission, and revoke it manually.
  6. From the top left menu, select Audit logs to review a full chronological record of all actions taken in Entitle: permission grants, revocations, workflow changes, policy updates, and external permission change notifications. Use the audit log to investigate specific events, support compliance reviews, or troubleshoot unexpected permission states.

Step 4: Govern cloud entitlements with CIEM

Cloud platforms like AWS, GCP, and Azure are where entitlement sprawl is most severe. Permissions are granted quickly during development, often at broad scope, and almost never cleaned up. CIEM brings cloud access under the same governance framework as the rest of your identity estate, giving you visibility into cloud entitlements, the ability to enforce least privilege, and JIT access controls so that even cloud admin roles aren't held permanently.

Entitle's CIEM capabilities work through its cloud integrations. Connecting AWS, GCP, Azure, or other cloud platforms to Entitle brings their entitlements into the permissions graph and table, making cloud access visible and actionable alongside SaaS and on-premises permissions.

  1. From the top left menu, select Integrations, resources, roles. Verify that your cloud platforms are connected. If a cloud integration is missing, select Add integration and follow the setup steps for the relevant platform.
  2. Once cloud integrations are connected and synced, return to the Permissions screen and apply the Integration filter to scope the view to a single cloud platform. Review the permission landscape for overprivileged accounts, Admin-level roles held permanently, and external permissions granted directly in the cloud console.
  3. Apply the Expiration: Never filter scoped to your cloud integrations. These are your standing cloud entitlements: candidates for JIT replacement.
  4. For high-sensitivity cloud roles (for example, AWS AdministratorAccess, GCP roles/owner, or Azure Owner), verify that these roles are governed by an approval workflow with an appropriate maximum duration. Navigate to Integrations, resources, roles, select the relevant cloud integration, and confirm that high-privilege roles are marked as requestable and assigned to a workflow, not granted as standing access.
  5. For cloud permissions currently held as standing access that should be converted to JIT, work with the relevant cloud platform owners to revoke the standing grants, ensure the role is requestable in Entitle, and direct users to the JIT request process for future access.
  6. Use the Permissions table's Permission type: External filter scoped to cloud integrations to identify permissions granted directly in the cloud console outside of Entitle. These are the highest-priority remediation targets: ungoverned access that Entitle has discovered but does not control.

Step 5: Run structured access reviews

JIT access and real-time revocation handle the day-to-day. Access reviews handle the accumulated past. A formal User Access Review (UAR) campaign assigns reviewers — managers and application owners — to certify whether the permissions their team members and resources currently hold are still appropriate. Permissions that reviewers deny are revoked, and the completed campaign is retained as an auditable record of your access governance posture for compliance frameworks including ISO 27001 and GDPR.

Access reviews in Entitle are template-driven. You create a template that defines the scope, the reviewers, and the revocation behavior. Each campaign is then created from a template, activated, and tracked to completion.

  1. From the top left menu, select Access review. The Overview screen displays all active and previous review campaigns.
  2. Select Manage templates to view available templates. If no template exists for the scope you need, select New template.
  3. When creating or editing a template, configure the following:
    • Reviewers: Select whether managers, resource owners, or both will act as reporters for this campaign.
    • Integrations: Select the integrations to include. Use All integrations for a broad review, or scope to specific platforms for a targeted campaign.
    • Exclude/include groups: Define which IdP user groups are in scope. The default includes all users.
    • Include unclaimed entitlements: Enable this to include permissions on accounts not yet connected to any user in Entitle. These often represent legacy or orphaned access.
    • Immediate revoke: When enabled, permissions are revoked as soon as a reviewer selects Deny, rather than waiting for the campaign to complete.
  4. Select Save, then return to the Overview screen.
  5. Select New access review, choose the appropriate template, give the campaign a meaningful name, and select Create access review. The campaign is created in Pending status.
  6. Review the campaign summary — confirm the number of entitlements in scope and the assigned reporters look correct — then select Activate to start the campaign. All reporters are notified that a review is active.
  7. Monitor campaign progress from the Overview screen. Use the Reports tab to track reviewer completion status (Pending, In Progress, Done). Use the Entitlements tab to track the status of individual permissions being reviewed (Pending, Approved, Denied, Flagged).
  8. When all reviews are complete, or when the allocated review window has closed, select Done to finalize the campaign. This action is irreversible. The completed campaign is retained in the Overview screen for audit purposes.
  9. Select Export to download campaign results for compliance reporting or governance evidence.

Verify the results

Verify that standing access has been reduced: the Permissions table filtered by Expiration: Never should show fewer results than before you began. Confirm that active JIT grants have expiration dates set, that high-privilege cloud roles are requestable through Entitle rather than held as standing access, and that your most recent UAR campaign shows a completed status with no entitlements in Pending or Flagged state.

Related resources

©2003-2026 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.