Documentation

Integrations, resources, roles | Entitle Pathfinder

Suggest Edits

Overview

The Integrations screen in Entitle is a central hub for managing all applications and services connected to your Entitle tenant. It offers a clear overview of your linked integrations and allows you to perform various related actions.

The Integrations screen has several key functionalities:

This page provides you with step-by-step instructions on how to use the Integrations screen in Entitle.

The Integrations page

  1. Sign in to app.beyondtrust.io with your credentials. The BeyondTrust Pathfinder Home displays.
  2. At the top right of the page, select your site from the drop-down.
  3. Select the Entitle tile from your list of available applications.
  4. From the top left menu, select Integrations.

The Integrations page has several main functionalities:

Intergrations screen overview: Number 1 is the integrations table, number two is the manage rules button, number 3 is bulk actions and number 3 is the add integration button
  1. Integrations table: View a list of all the integrations set up for your organization. This list provides key information about each integration, such as:
    • The application icon
    • The integration name
    • The number of resources that the integration has retrieved
    • The integration owner
    • The integration's default approval workflow
  1. Manage rules: Define a rule that assigns attributes to integrations matching certain criteria, applying to new resources and optionally to existing ones.

    ℹ️

    For more information, see Rules.

  2. Bulk actions: Select multiple existing integrations, resources, or roles to update their attributes at once.

    ℹ️

    For more information, see Filtering and bulk actions.

  3. Add integration: Set up a new integration in Entitle.

View and manage

Integrations

  1. On the Integrations page, click on a specific integration to be taken to its page.

    Screenshot highlighting a specific integration to click on

  2. On this page, you can perform the following actions:

    Screenshot of the specific integration's details
    1. View the integration's attributes:
      • Icon (editable)
      • Name (editable)
      • Application
      • Owner
      • Last synced date and time
    2. Manually synchronize the integration's data.
    3. Create new rules.

      ℹ️

      For more information, see Rules.

    4. View and edit the integration's settings:
      • Owner
      • Readonly
      • Allow changing account permissions
      • Allow creating accounts
      • Allow users to edit accounts
      • Requestable
      • Requestable by default
      • Update all existing resources "Allows requests" option as well (visible only if Requestable by default is not checked)
      • Auto assign recommended resource owners and maintainers
      • Notify about external permission changes
      • Override allowed durations
      • Set up new connection
      • Restore the default logo
      • Delete the integration

        ℹ️

        For more information about these settings, see Set up a new integration.

    5. View and change the integration's approval workflow.
    6. View and manage the integration's resources and roles.

      ℹ️

      For more information, see resources and roles.

    7. View and add maintainers for the integration.
    8. View the integration’s audit logs.
    9. View and add prerequisite permissions for the integration.

Resources

  1. On the Integrations page, click on a specific integration to be taken to its page.

    Screenshot highlighting a specific integration to click on

  2. Expand the Resources section to view the existing resources within the integration and additional information about each of them.

    Screenshot of the specific integration's details, indicating how to expand the Resources section

  3. Under the Resource column, click on a specific resource you would like to view or manage.

    Screenshot of resources section expanded

    1. On the resource management page, you can perform the following actions:

      Screenshot of the specific resource's screen

      1. View and edit the resource’s settings:

        • Owner
        • Name
        • Description
        • Tags
        • Requestable
        • Multirole
        • Override allowed durations

      2. View and change the resource's approval workflow.

      3. View and manage the integration's roles.

        ℹ️

        For more information, see roles.

      4. View how this resource’s roles automatically give or are given access from other resources or roles.

        A list of roles that belong to the specific resource that will be given access automatically

      5. View and add maintainers for the resource.

      6. View and add prerequisite permissions for the resource.

      7. View the total number of permissions granted to different users.

Roles

  1. On the Integrations page, click on a specific integration to be taken to its page.

    Screenshot highlighting a specific integration to click on

  2. Expand the Resources section to view the existing resources within the integration. Select a specific resource from the list.

    Screenshot of the specific integration's details, indicating how to expand the Resources section

  3. Expand the Roles section to view the existing roles within the integration’s resource.

    Screenshot of the specific integration's resource management screen and how to expand the Roles section

  4. Under the Role column, select the specific role that you would like to manage.

    Example of clicking on a specific role

  5. On the role management screen, you can perform the following actions:

    Screenshot of role management screen

    1. View and edit the role’s settings:

      • Requestable
      • Override allowed durations

    2. View and change the approval workflow.

    3. View how this resource’s roles are automatically given access from other resources or roles.

      Screenshot of a list of roles that belong to the specific resource that will be given access automatically

    4. View and add prerequisite permissions for the role.

Set prerequisite permissions

  • Prerequisite permissions ensure users have the required access before granting dependent permissions. For example, if database access requires VPN access, the VPN role is set as a prerequisite. Entitle ensures the user has (or will get) VPN access before granting database access.

  • If a user requests a permission and Entitle adds its prerequisites at the same time, those prerequisites expire when the requested permission expires. Permissions granted through bundles or birthright policies also receive their required prerequisites.

  • To add a prerequisite permission, click + Add. Select the integration, resource, and role, then Save permission.

Set up a new integration

ℹ️

Setting up a new integration triggers the following process:

  1. Entitle attempts to integrate based on the provided configuration (details below).
  2. Entitle then automatically discovers and "scrapes" existing and changing resources, roles, accounts, and permissions into its database.
  3. Auto-discovery continues hourly for resources and accounts (or via manual command) as long as the integration remains connected to Entitle. Permission synchronization for changes occurring outside of Entitle happens daily.
  4. Entitle manages permissions for the integration and applies all its functions – including visibility, Just-in-Time (JIT) access, User Access Reviews (UAR), birthright permissions, session audit, and even future functions – unless otherwise specified.
  1. On the Integrations page, click the Add integration button in the top-right corner.

  1. Provide the following information:

    Screenshot of Add integration screen and the details that need to be filled in
    • Application: Select a supported application with which to create an integration. Once selected, a link to the integration's documentation appears to the right.
    • Name: The integration's display name.
    • Owner: Choose who should administer the integration and handle its approval workflows.
    • Default approval workflow: The workflow automatically assigned to entitlements in this integration. You can overwrite it at the resource or role level.
    • Checkboxes
      • Read-only: In read-only mode, user requests are not automatically granted. Instead, a ticket is opened for manual review and resolution.
      • Allow changing account permissions: When selected, Entitle can automatically grant or revoke permissions on this account. When deselected, Entitle can track but not modify permissions.
      • Allow creating accounts: When selected, a temporary account is created for each access request and is deleted once the request is revoked or times out.
        When deselected, the user must provide a permanent account for the request. Permissions are granted when the request is approved and removed when it is revoked or times out.
      • Allow users to edit accounts: When selected, users can edit their accounts for this integration. When deselected, their integration accounts are read-only.

        ℹ️

        • Account-mapping actions (such as mapping or removing an account from a user) may take up to 5 minutes to be reflected in the integration.
        • For more information, see Manage integration accounts.
      • Requestable: When selected, users can create entitlement requests for resources in this integration. When deselected, this integration is not available in the New request form.
      • Requestable by default: When selected, newly added resources in this integration are requestable by default. When deselected, new resources are not requestable by default.

        ℹ️

        Admins can override this setting for selected resources.

      • Auto-assign recommended resource owners: During a sync, Entitle can recommend who should own each resource. When selected, Entitle replaces existing resource owners with the recommended users. When deselected, current owners remain unchanged.
      • Auto-assign recommended resource maintainers: During a sync, Entitle can recommend who should maintain each resource. When selected, Entitle replaces existing maintainers with the recommended users. When deselected, current maintainers remain unchanged.
      • Notify about external permission changes: When selected, if an account in this integration is granted roles outside of Entitle's JIT access request flow or birthright policy (for example, by an admin manually granting permissions in the third-party integration or by an automated script), an audit log is created and streamed. A notification is then sent to Entitle administrators and the integration owner through instant messaging (Slack or Teams bots).
      • Override allowed durations: When selected, you can set custom duration options for this integration. When deselected, users creating requests see the duration options defined by the linked workflow. Bundles containing this integration are not affected.
    • Save on: Choose whether you would like this integration to be saved on your own hosted agent or in Entitle’s cloud.
    • Connection: View an example JSON configuration for the Application you selected above.

  2. Once you have finished configuring the integration, click Save.

Test your integration

ℹ️

The integration setup time varies based on the volume of permissions in the third-party integration.

  1. In Entitle, navigate to the Integrations screen.
  2. Locate the integration you want to test.
  3. Click the integration name to view more details.
  4. Verify the integration has successfully synced by:
    1. The integration's last sync: When this information displays, all resources, roles, and entitlements have been synced into Entitle. This can take up to 30 minutes.
    2. The resources' last sync: When this information displays, all resources have been synced into Entitle. This can take up to 15 minutes.
    3. The integration audit logs: These logs display any issues that occurred during the integration setup. If a problem occurs, an error log displays, and an instant message alert is sent to the integration owner.
  5. Once the integration setup is complete, you are redirected to the Integrations screen. There, you will see the newly created integration.

Updated 4 days ago