Documentation

Birthright policies | Entitle Pathfinder

Overview

Entitle birthright policies are sets of rules that automatically manage employees’ birthright permissions, allowing a group of employees to be entitled to a set of birthright permissions.

When an employee joins the group, e.g., upon joining the organization, they will be automatically granted the permissions defined for the group, and upon being removed from the group, e.g., leaving the organization, the permissions will also be automatically removed.

This page will provide you with step-by-step instructions on how to use Policies in Entitle.

View and manage Policies

  1. Sign in to app.beyondtrust.io with your credentials. The BeyondTrust Pathfinder Home displays.
  2. At the top right of the page, select your site from the drop-down.
  3. Select the Entitle tile from your list of available applications.
  4. From the top left menu, select Birthright policies.
Birthright policies screen overview
  1. Birthright policies table: This table presents all existing birthright policies within the tenant. The columns from left to right are:
    1. Group: Displays the groups to which the policies grant access.
    2. Role: Displays the roles to which the policies grant access.
    3. Bundle: Displays the bundles to which the policies grant access.
  2. Add policy: Create a new policy. For details, see Set up Entitle policies in this guide.
  3. Search: Find policies based on:
    • Group
    • Integration
    • Resource
    • Role
    • Bundle
  4. Filter: Filter your table view by:
    • IdP group
    • On call
    • Integration
    • Resource
    • Role
    • Policy ID
    • Bundle
  5. Prioritize policies: Permissions for conflicting roles are given based on the priority of the policy. To modify the priority, drag the chosen policy using the grip icon. The higher the policy, the higher the priority.
  6. Edit/Delete policies: Click the vertical ellipses at the right to access the Edit and Delete options.
    1. Edit: Click the pencil icon. Make your changes, and when you are done, click Save.
    2. Delete: Click the trash icon, and in the pop-up screen click Delete policy. This action will remove the permissions that the specific users within the selected groups had through this policy.
      ℹ️

      It is recommended that when deleting a policy, remove the roles/bundles from the policy first, and then proceed to delete it.

ℹ️

Hovering over the different components within the policies table will provide you with further information on the groups, bundles, and roles.

Set up birthright policies

  1. Go to the Birthright policies screen and click the Add Policy button in the top-right corner.

  2. From the fly-out panel, choose details for your new policy.

    Birthright policy form showing group selection and role assignment across integrations, resources, and roles panels.

    1. Groups and schedules: Select the groups and/or schedules that trigger the policy. You can choose multiple entries.

      ℹ️

      Available groups include identity provider groups and on-call groups configured in the Integrations tab of the Org settings page.

    2. Roles: Select the roles to assign when the policy conditions are met.

      • Manage roles tab:

        1. First, select an integration.
        2. Then, select a resource.
        3. Finally, select one or more roles.
          The selected roles define the access that is automatically granted to users who match the policy.

      • View selected roles tab:

        Birthright policy form showing selected roles list across integrations with options to manage, view, search, and sort roles.
        1. Click View selected roles to review all selected roles in a consolidated list.
          In this view, each selected role is displayed with its associated integration and resource, allowing you to verify the full access path before creating the policy.
        2. Search for roles based on role name.
        3. Sort roles by:
          • Integration
          • Resources
          • Role
        4. To remove a role, click the X next to the role in the selected roles list.
          ℹ️

          If no roles are available, verify the integration and role configuration.

          Roles may not appear if:

          • The integration has been removed
          • The role is part of a virtual application that cannot assign permissions due to its configuration

          For example, roles will not be available if:

          • can_update_permissions is set to false
          • can_create_actors is set to true

          In these cases, the roles cannot be requested or assigned through a policy and are therefore not displayed.

    3. Bundles: Optionally, add bundles to grant grouped access. Bundles allow you to assign a predefined set of roles and may include approval workflows.

      1. Click Add bundle, then search for and select a bundle from the list.
      2. Each selected bundle displays its associated approval workflow and the number of roles it contains.
      3. Sort selected bundles by:
        • Name
        • Description
        • Number of roles
        • Approval workflow
        • Creation
      4. Search selected bundles based on:
        • Name
        • Description
        • Approval workflow
        • Resource name
        • Role
      5. To go to the bundle in a new tab, click the Open in new tab icon. To remove a bundle, click the X next to the bundle.

  3. Click Create birthright policy. The new policy appears in the table.

Changes in Policies

Any change made in the system is documented in the Audit logs screen, including changes in policies; e.g., changes in the policy’s content through creating, editing, or deleting policies, as well as changes in the policy’s permissions.

Triggers for Policies

The policies are applied once a day; however, any of the following changes will be applied immediately: creating, editing, or deleting policies, reordering the policies, changes in the on-call groups, and changes in the IdP groups.

Troubleshooting

Birthright policy sync issue

A birthright policy automatically assigns roles to users who belong to a specified group. In some cases, a user is in the correct group but does not get the specified role. To resolve this issue, follow the steps below:

Identify the issue

  1. Navigate to the Audit logs screen in Entitle.

  2. Download the logs as a CSV file.

  3. Search for the user’s ID, which is available on the user’s profile page. For example:

  4. Look for the following action in the CSV file: OrganizationPolicyPermissionsUpdatesMissingAccounts.

Add the user’s integration account

  1. Navigate to the user’s page in Entitle.

  2. Select Add integration.

  3. Choose the integration used in the Birthright policy.

  4. Select the user’s account.

ℹ️

If the user's associated account is not listed, it may not have synced to Entitle yet:

  1. Confirm the user has an account in the integration application.
  2. In Entitle, open the integration and select Sync. After 10 minutes, recheck the user's page to confirm the account has been added.

Resync the birthright policy

If the user still does not receive the role, proceed with one of two options:

  1. Recreate the birthright policy.
  2. Re-order the birthright policies by dragging them in the Birthright policies
    screen and changing their hierarchy.

Updated about 1 month ago

©2003-2026 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.