Permissions
Overview
The Permissions screen in Entitle is where customers can map out users’ behaviors using the Permissions graph, as well as view and manage their organization’s permissions using the table view. It provides a unified view of users based on permissions granted to different application integrations.
The permissions screen has several main functionalities:
-
View permissions using the graph view (default): The permissions graph allows Entitle’s customers to make sure their users have just enough access to different integrations, and to identify overprivileged or unknown identities, unwanted permission chains, or toxic combinations of permissions visibly.
-
View and manage your organization’s permissions using the table view.
Contact your BeyondTrust sales representative to confirm that Entitle has enabled the feature flag for your organization.
Permissions graph and table sync mechanism
- Any logical filter applied in the table will be reflected in the graph:
- Filters using "is" logic in the permissions table will display in the graph view.
- Filters using "is not" logic or empty users cannot be displayed in the graph.
- Any filter applied in the graph view is reflected in the table view, except for the risk and sensitivity indicators.
Definitions of key concepts
- User: The entity that can receive, hold, and be stripped of permissions.
- Account: The identity through which a user accesses systems and resources, and to which permissions are assigned.
- Integration: A specific instance or integration with an application. It includes the configuration needed to connect Entitle, including credentials and all the users’ permissions information.
- Resource type: Varies depending on the integration chosen.
- Resource: An entity within an integration to which a user can gain access via permission, e.g. group of users.
- Role: A level of access to which a user is entitled to a resource, e.g., Read, Admin.
- Permission path:
- Direct access: The user has direct (JIT - Just-In-Time) permission to the resource.
- Indirect access: The selected roles are granted to the employees based on a different role granted to the employee.
- Permission type:
- External: Permission granted to an account pre-Entitle (externally).
- JIT request: Permission granted through Entitle’s access request process.
- Birthright policy: A policy that grants permissions to users who are part of it.
Note
Even if a policy is defined for a single user, other users who share the same account are also granted the permission(s).
- Created: Shows the permission’s creation date.
- Expiration: Shows the permission’s expiration date.
How to use the Permissions Graph
Log in to Entitle and navigate to the Permissions screen.

- Filters menu:
- Users - The entities that can receive, hold, and be stripped of permissions.
- Integration - A specific instance or integration with an application. It includes the configuration needed to connect Entitle, including credentials and all the users’ permissions information.
- Resource type - varies depending on the integration chosen.
- Resource - An entity within an Integration to which a user can gain access via permission, e.g. group of users.
- Role - A level of access to which a User is entitled to a resource, e.g., Read, Admin.
- Note: You must select a resource before selecting a role.
Each of the abovementioned filters is a multi-select option, and any combination of selections can be made at any time.
- Graph key: Presents the total number of users, accounts, integrations, resources, and roles found according to the selected filters, as well as their permission path (direct, indirect/both).
- Permissions graph functionalities: From left to right: Return to center, zoom out, zoom in.
The Permissions table
Reminder
Contact your BeyondTrust sales representative to confirm that Entitle has enabled the feature flag for your organization.

This view has multiple functionalities for admins:
-
View permissions in a table format, according to the following parameters:
- User
- Account
- Integration
- Resource type
- Resource
- Permission path
- Permission type
- Created
- Expiration
Note
Both the Created and Expiration columns may update dynamically, as they consider all factors that granted the permission and calculate the dates accordingly.
-
Search accounts, resource names, and role names.
-
Download as CSV: You can download specific rows if selected; otherwise, the entire table will be downloaded.
-
Sort and filter permissions according to the table’s components.
-
Revoke access to selected permissions.
Revoke permissions
There are two ways to revoke access to selected permissions using the permissions table.
Single-permission revocation
Using the Revoke button in a specific permission row allows you to directly revoke that individual permission. In addition to the Revoke button, the column includes several other indicators:
- “i” tooltip: Indicates that indirect permissions cannot be revoked.
- “!” tooltip: Indicates that revoking a permission granted via a birthright policy is a temporary action. Permissions will be reassigned during the next sync
- An empty field indicates that the specific permission is associated with an unmanaged account and therefore cannot be revoked.
Bulk revocation
The Revoke selected button allows you to revoke permissions in bulk, i.e., revoke at least one selected and eligible permission, or the entire table.
Notes
- Eligible permissions are any permissions that are not indirect or unmanaged.
- If no rows are selected, this functionality is disabled.
During the Revoke selected process, you may encounter the following screens, designed to help you review and confirm the impact of revoking selected permissions:
-
Additional permissions will be revoked
Presents the selected permissions and the additional permissions that will be revoked due to shared accounts of a common permission type (Birthright policies, JIT requests, etc.)
Revoking a permission from a shared account impacts all users who share that account.
-
Temporarily revoke birthright permissions
This screen appears when the selected permissions for revocation were originally granted by a birthright policy, indicating the action is temporary.
-
Permissions cannot be revoked
This screen lists permissions that cannot be revoked automatically. These permissions are either indirect or unmanaged.
-
Revoke permissions?
This screen is your final opportunity to review and confirm the permissions selected for revocation. Click Revoke permissions to complete the action.
Across all revocation screens, you can perform the following actions:
- Remove from revoke: Click this next to a user’s entry to exclude a permission from being revoked.
- Remove all: Removes all permissions listed in the current table from the revocation process.
- Next: Continue to the next step in the revocation process.
- Cancel revoke: Exit the workflow without making any changes.
Updated 9 days ago