Documentation

Users | Entitle Pathfinder

Overview

The Users page is where Entitle administrators can view and manage their users' (employees, partners, customers) permissions, accounts, Personal Access Tokens, and JIT access. This page includes the following functionality:

Access the Users screen

  1. Sign in to app.beyondtrust.io with your credentials. The BeyondTrust Pathfinder Home displays.
  2. At the top right of the page, select your site from the drop-down.
  3. Select the Entitle tile from your list of available applications.
  4. From the top left menu, select Users.

Manage your users

Users table

  1. The table presents all your organization’s users within Entitle, the number of associated integration accounts, the number of permissions they have, the number of active personal access tokens, their direct manager, and their Entitle role.

  2. Search for specific users by name or email.

  3. Sort the users table.

    ℹ️

    Users marked with the Deleted icon have been previously removed from the Entitle tenant.

  4. Filter the users table.

  5. JIT access analysis opens a separate view where you can view and export reports showing which users are eligible to request which roles and resources.

  6. Clicking on a specific user will redirect you to the user's details screen, which has several key functionalities:

    1. At the top of the screen, you will see the user’s email, Entitle role, and direct manager.

      ℹ️

      Direct manager information is available only if collecting it is enabled in the IdP or HRIS connection setup.

    2. Integration accounts, Permissions, and Tokens tabs:

      • Integration accounts: Manage the user's accounts associated with various integrations.
      • Permissions: View and manage the user’s permissions in Entitle. For further details, see Manage users' permissions.
      • Tokens: View all Personal Access Tokens (PATs) associated with the user. From this view, admins can review token details and revoke tokens as needed.

Manage users' integration accounts

Inside the Integration accounts tab in the Users screen, you will be able to:

  1. View the integrations that were set up in your tenant and the accounts that have integrated them.
  2. Add account associations to integrations not yet mapped to the user
  3. Add account associations to integrations mapped to the user
  4. Remove account associations from integrations mapped to the user

Add account associations to integrations not yet mapped to the user

  1. To add an integration and account, click Add integration.

  2. Select an integration from the list or start typing to search for one. Integrations already shown in the Integration accounts tab do not appear in the list.

  3. Select an account from the list or start typing to search for one.

  4. Click Add integration.

    Add integration screen

  5. The integration and associated account appear as a new card in the Integration accounts tab.

Add account associations to integrations mapped to the user

  1. In the Integration accounts tab, locate the integration to which you want to add accounts.

  2. Click the + icon on the integration card.

  3. In the Add accounts dialog, select the accounts you want to associate, then click Add accounts.

Add accounts
  1. The associated accounts now appear on the integration card. Repeat this process to add additional accounts as needed.

Remove account associations from integrations mapped to the user

  1. In the Integration accounts tab, click the x icon next to the account you want to remove from the integration.

  2. In the confirmation dialog, click Remove account.

    ℹ️

    If you remove the only account associated with an integration, the integration is also removed.

Remove account

Manage users' permissions

  1. To view an employee's permissions, click anywhere in the user's row on the Users page.

  2. Go to the Permissions tab. This view includes the following functionality:Permissions tab for a user

    1. Permissions table: Displays all permissions assigned to the user, both inside and outside Entitle. The table includes the following columns:

      • Account
      • Integration
      • Resource type
      • Resource
      • Permission path
      • Permission type
      • Created
      • Expiration
        ℹ️

        For definitions of these concepts, see Definitions of key concepts in the Permissions documentation.

    2. Search: Search permissions by:

      • Account
      • Resource name
      • Role name

    3. Sort the permissions table.

    4. Filter the permissions table.

    5. Download as CSV: Download selected rows or, if no rows are selected, the entire table.

    6. Revoke: Revoke selected permissions.

      ℹ️

      For more information, see Revoke permissions in the Permissions documentation.

ℹ️

To view additional details about an integration, resource, or role, hover over the item. Click the item to open its details page.

Manage users' Personal Access Tokens

  1. To view an employee's tokens, click anywhere in the user's row on the Users page.

  2. Go to the Tokens tab. This view includes the following functionality:

    1. Personal access tokens table: Displays all personal access tokens assigned to this user. The table includes the following columns:
      • Token name
      • Created at
      • Expiration
      • Last used
    2. Search: Search tokens by token name.
    3. Sort: Sort tokens by:
      • Name
      • Created at
      • Expiration
      • Last used
    4. Filter: Filter tokens by:
      • Created at
      • Expiration
      • Expiration was set to
      • Expired
      • Last used
      • Token name
    5. Revoke: Revoke the user's personal access token.

View the JIT access analysis report

Admins and compliance users can use JIT request analysis to review just-in-time access eligibility across users, roles, and resources. The report includes every JIT-requestable role available to a user, whether through direct assignment, bundles, or virtual roles. Use this report to view who can request access, not who currently has access or who has requested access in the past.

JIT request analysis table

This view provides the following capabilities for admins:

  1. View a table of users, roles, and resources that shows just-in-time access eligibility among them. The following columns provide details:

    • User
      ℹ️

      The user's name and email appear in the table; only the email address appears in the CSV export.

    • Application
      ℹ️

      This column appears only in the CSV export.

    • Integration
    • Resource
    • Role
    • Direct
    • Bundle
    • Virtual app
      ℹ️

      The Bundle and Virtual app columns appear only if bundles or virtual applications exist in your tenant. These columns may contain multiple values per row.

  2. Filter: Select one or more filters to control which data is displayed. Available filters include:

    • IdP group
    • On call
    • User
    • Integration
    • Integration name
    • Resource
    • Resource name
    • Role name
    • Direct
    • Bundle
    • Virtual app

  3. Download as CSV: Export a CSV file of the eligibility data shown in the table. When no filters are applied, the export includes all eligibility data, which is commonly required for audit purposes. When filters are applied, only the filtered results are exported.

    ℹ️

    If you select specific rows, only those rows are exported. If no rows are selected, the entire table is exported.

    The exported file is named using the following format:
    Entitle_exported_potential_jitroles%DATE_TIME%.csv

    The CSV reflects the table content with minor differences, such as the User column containing only the user's email address and the Application column appearing only in the exported file.

    To ensure an audit trail, each export of a JIT access report is recorded in the audit logs, including the user who performed the export and the time it occurred.

©2003-2026 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.