Documentation

Permissions

Suggest Edits

Overview

The Permissions screen in Entitle is where customers can map out users’ behaviors using the Permissions graph, as well as view and manage their organization’s permissions using the table view. It provides a unified view of users based on permissions granted to different application integrations.

The permissions screen has several main functionalities:

  1. View permissions using the graph view (default): The permissions graph allows Entitle’s customers to make sure their users have just enough access to different integrations, and to identify overprivileged or unknown identities, unwanted permission chains, or toxic combinations of permissions visibly.

  2. View and manage your organization’s permissions using the table view.

    ℹ️

    Contact your BeyondTrust sales representative to confirm that Entitle has enabled the feature flag for your organization.

Permissions graph and table sync mechanism

  • Any logical filter applied in the table will be reflected in the graph:
    • Filters using "is" logic in the permissions table will display in the graph view.
    • Filters using "is not" logic or empty users cannot be displayed in the graph.
  • Any filter applied in the graph view is reflected in the table view, except for the risk and sensitivity indicators.

Definitions of key concepts

  • User: The entity that can receive, hold, and be stripped of permissions.
  • Account: The identity through which a user accesses systems and resources, and to which permissions are assigned.
  • Integration: A specific instance or integration with an application. It includes the configuration needed to connect Entitle, including credentials and all the users’ permissions information.
  • Resource type: Varies depending on the integration chosen.
  • Resource: An entity within an integration to which a user can gain access via permission, e.g. group of users.
  • Role: A level of access to which a user is entitled to a resource, e.g., Read, Admin.
  • Permission path:
    • Direct access: The user has direct (JIT - Just-In-Time) permission to the resource.
    • Indirect access: The selected roles are granted to the employees based on a different role granted to the employee.
  • Permission type:
    • External: Permission granted to an account pre-Entitle (externally).
    • JIT request: Permission granted through Entitle’s access request process.
    • Birthright policy: A policy that grants permissions to users who are part of it.

      ℹ️

      Note

      Even if a policy is defined for a single user, other users who share the same account are also granted the permission(s).

  • Created: Shows the permission’s creation date.
  • Expiration: Shows the permission’s expiration date.

The Permissions graph

  1. Sign in to app.beyondtrust.io with your credentials. The BeyondTrust Pathfinder Home displays.
  2. At the top right of the page, select your site from the drop-down.
  3. Select the Entitle tile from your list of available applications.
  4. From the top left menu, select Permissions.

You will encounter four main sections:

Permissions screen indicating the main sections of the page. Number 1 is the Filters menu, number 2 is the graph key, number 3 is the permissions graph functionalities, and number 4 is the risk and sensitivity indicators.
  1. Filters menu:
    • Users - The entities that can receive, hold, and be stripped of permissions.
    • Integration - A specific instance or integration with an application. It includes the configuration needed to connect Entitle, including credentials and all the users’ permissions information.
    • Resource type - varies depending on the integration chosen.
    • Resource - An entity within an Integration to which a user can gain access via permission, e.g. group of users.
    • Role - A level of access to which a User is entitled to a resource, e.g., Read, Admin.
      • Note: You must select a resource before selecting a role.

ℹ️

Each of the abovementioned filters is a multi-select option, and any combination of selections can be made at any time.

  1. Graph key: Presents the total number of users, accounts, integrations, resources, and roles found according to the selected filters, as well as their permission path (direct, indirect/both).
  2. Permissions graph functionalities: From left to right: Return to center, zoom out, zoom in.
  1. Risk and sensitivity indicators (Insights) - only in Entitle on Pathfinder.

ℹ️

If you would like to reverse any actions in the graph, click the arrow icon on the right side of the filter menu.

The Permissions table

ℹ️

Reminder

Contact your BeyondTrust sales representative to confirm that Entitle has enabled the feature flag for your organization.

This view has multiple functionalities for admins:

  1. View permissions in a table format, according to the following parameters:

    • User
    • Account
    • Integration
    • Resource type
    • Resource
    • Permission path
    • Permission type
    • Created
    • Expiration

      ℹ️

      Note

      Both the Created and Expiration columns may update dynamically, as they consider all factors that granted the permission and calculate the dates accordingly.

  2. Search accounts, resource names, and role names.

  3. Download as CSV: You can download specific rows if selected; otherwise, the entire table will be downloaded.

  4. Sort and filter permissions according to the table’s components.

  5. Revoke access to selected permissions.

Revoke permissions

There are two ways to revoke access to selected permissions using the permissions table.

Single-permission revocation

Using the Revoke button in a specific permission row allows you to directly revoke that individual permission. In addition to the Revoke button, the column includes several other indicators:

  • “i” tooltip: Indicates that indirect permissions cannot be revoked.
  • “!” tooltip: Indicates that revoking a permission granted via a birthright policy is a temporary action. Permissions will be reassigned during the next sync
  • An empty field indicates that the specific permission is associated with an unmanaged account and therefore cannot be revoked.

Bulk revocation

The Revoke selected button allows you to revoke permissions in bulk, i.e., revoke at least one selected and eligible permission, or the entire table.

ℹ️

Notes

  • Eligible permissions are any permissions that are not indirect or unmanaged.
  • If no rows are selected, this functionality is disabled.

During the Revoke selected process, you may encounter the following screens, designed to help you review and confirm the impact of revoking selected permissions:

  1. Additional permissions will be revoked

    Presents the selected permissions and the additional permissions that will be revoked due to shared accounts of a common permission type (Birthright policies, JIT requests, etc.)

    ℹ️

    Revoking a permission from a shared account impacts all users who share that account.

  2. Temporarily revoke birthright permissions

    This screen appears when the selected permissions for revocation were originally granted by a birthright policy, indicating the action is temporary.

  3. Permissions cannot be revoked

    This screen lists permissions that cannot be revoked automatically. These permissions are either indirect or unmanaged.

  4. Revoke permissions?

    This screen is your final opportunity to review and confirm the permissions selected for revocation. Click Revoke permissions to complete the action.

Across all revocation screens, you can perform the following actions:

  • Remove from revoke: Click this next to a user’s entry to exclude a permission from being revoked.
  • Remove all: Removes all permissions listed in the current table from the revocation process.
  • Next: Continue to the next step in the revocation process.
  • Cancel revoke: Exit the workflow without making any changes.

Risk and sensitivity indicators

💡

Important

  1. Risk and sensitivity indications will be visible in Entitle only if accessed through Pathfinder, with a user who has admin privileges in both Entitle and Insights.
  2. See the Identity Security Insights integration guide to set up risk and sensitivity indications in Entitle.

View risk/sensitivity indicators using the Permissions graph

  1. When the abovementioned prerequisites are fulfilled, Insights will load in the permissions graph before the admin selects any filters. This way, they can immediately see the status of the employees in the company, such as who has multiple high-risk permissions:

  2. Once filters are selected, the graph will display the users according to the selected filters.

    💡

    Note

    If only one of the risk/sensitivity filters is selected without any filters (Users/Integration/Resource type/Resource/Role), a maximum of 250 users can be presented in the permissions graph. The following tooltip will display:

    Tooltip presenting the maximum number of users that can be presented in the permissions graph

Filter risk and sensitivity indicators

ℹ️

Currently, this functionality is supported only in the permissions graph view and will not display in the permissions table view.

Admins can filter users based on risk and/or sensitivity levels. To apply the filters:

  1. Select Users/resources/roles whose permissions you want to display using the appropriate filter.
  2. You will see a numerical indicator presenting a cumulative schema for the risk and sensitivity levels of all the users existing in the graph.
  3. Use the right-hand side Risk and Sensitivity filters to adjust the graph according to the information you wish to display.

View detection details in Insights

  1. Hovering over the risk or sensitivity icon will summarize the risk/sensitivity details. In the example below, the cumulative risk level is 1.

    Example of a permission with cumulative risk level 1

  2. Clicking on a detection will redirect you to Insights, where you can view more detailed information about the specific detection.

Updated 5 days ago