Users | Entitle

Overview

The Users screen is where Entitle Admins can view and manage the organization’s employees and their permissions. This screen has several key functionalities:

• View, search, sort, and filter employees’ accounts
• Manage associated accounts.
• View, sort, filter, and revoke employees’ permissions

View, search, sort, and filter employees’ accounts

1. The table presents all your organization’s users within Entitle, the number of associated integration accounts, the number of permissions they have, their direct manager, and their Entitle role.

2. Additional functionalities available:

   1. Search for specific employees by name.

   2. Sort employees based on the following criteria:

      • First name

      • Last name

      • Number of accounts

      • Number of permissions

      • Direct manager

      • Deleted users

      ℹ️

      Users marked with the Deleted icon have been previously removed from the Entitle tenant.

   3. Filter according to the following categories:

      • User
      • Direct manager
      • Deleted users
      • Entitle role

   4. JIT request analysis opens a separate view where you can view and export reports showing which users are eligible to request which roles and resources.

3. Clicking on a specific account will redirect you to the user screen, which has several key functionalities:

   
   1. At the top of the screen, you will see the employee’s email, Entitle role, and Direct manager (Number 1).

      ℹ️

      This is available only if HR is enabled in the IdP connection.

   2. Integration accounts or Permissions table (Number 2):
      • Integration accounts: This allows management of your tenant’s integrations and associated accounts.
      • Permissions table: This allows viewing and managing employees’ permissions in Entitle. For further details, refer to this section in this guide.
   3. Search, sort, and filter functionalities (Number 3). Sorting and filtering can be done according to the following parameters:
      • Integration name
      • Account name

Manage accounts

Inside the Integration accounts tab in the Users screen, you will be able to:

1. View the integrations that were set up in your tenant and the accounts that have integrated them.
2. Add accounts association to integrations that are yet to be mapped to the employee’s user.
3. Add accounts association to integrations that are mapped to the employee's user.
4. Remove accounts association from integrations that are mapped to the employee's user.

Add accounts association to integrations that are yet to be mapped to the employee’s user

1. To add an integration and account, click the Add integration button.

2. Select an integration from the list or search for a specific one using the search bar. Note that integrations that already appear in the Integration accounts tab will not show in the list.

3. Then, select an account from the list or search for a specific one. You can select multiple accounts if needed.

4. Finally, click the Add integration button.

   

5. The new integration and its associated accounts will now appear as a new tile in the Integration accounts tab.

Add accounts association to integrations that are mapped to the employee's user

1. In the Integration accounts tab, navigate to the specific integration from the catalog to which you want to add accounts.

2. Click the "+" icon next to your chosen integration to add a new account.

3. In the Add accounts pop-up screen, associate the adequate accounts. Note that here too, you can add multiple accounts at once. Then, click the Add accounts button.

   

4. You can now see the associated account(s) as part of the integration you originally selected.

Remove accounts association from integrations that are mapped to the employee’s user

1. In the Integration accounts tab, click the "x" icon next to the account you wish to remove from the specified integration.
2. In the pop-up screen, click the Remove account button. Note: If an integration has only one account that has been removed, the integration itself will be removed.

View, sort, filter, and revoke employees’ permissions

1. To view an employee’s permissions, click anywhere on the user’s row in the Users screen.

2. Navigate to the Permissions table. This view has a few different functionalities:

   

   1. The permissions table (Number 1): Includes all of the user’s permissions inside and outside of Entitle. The columns from left to right are:

      • Account

      • Integration

      • Resource type

      • Resource

      • Permission path

      • Permission type

      • Created

      • Expiration

      ℹ️

      For further details, see Definitions of key concepts in the Permissions screen documentation.

   2. Search accounts, resource names, and role names (Number 2).

   3. Sort and filter (Number 3): permissions according to the table’s components.

   4. Download as CSV (Number 4): You can download specific rows if selected; otherwise, the entire table will be downloaded.

   5. Revoke access to selected permissions (Number 5):

      ℹ️

      • For further information on revoking permissions, see Revoke permissions in the Permissions screen documentation.
      • For further details on integrations/resources/roles, hover over the Integration name/Resource/Role. Click on any of them to navigate to Entitle's specific page.

View JIT request analysis

Admins and compliance users can use JIT request analysis to review just-in-time access eligibility across users, roles, and resources. The report includes every requestable role available to a user, whether through direct assignment, bundles, or virtual roles. Use this report to view who can request access, not who currently has access or who has requested access in the past.

ℹ️

If you do not see the JIT request analysis button, contact your BeyondTrust representative to request that the feature be enabled for your organization.

This view provides the following capabilities for admins:

1. View a table of users, roles, and resources that shows just-in-time access eligibility among them. The following columns provide details:

   • User

     ℹ️

     The user's name and email appear in the table; only the email address appears in the CSV export.

   • Application

     ℹ️

     This column appears only in the CSV export.

   • Integration
   • Resource
   • Role
   • Direct
   • Bundle
   • Virtual app

     ℹ️

     The Bundle and Virtual app columns appear only if bundles or virtual applications exist in your tenant. These columns may contain multiple values per row.

2. Filter: Select one or more filters to control which data is displayed. Available filters include:

   • IdP group
   • On call
   • User
   • Integration
   • Integration name
   • Resource
   • Resource name
   • Role name
   • Direct
   • Bundle
   • Virtual app

3. Download as CSV: Export a CSV file of the eligibility data shown in the table. When no filters are applied, the export includes all eligibility data, which is commonly required for audit purposes. When filters are applied, only the filtered results are exported.

   ℹ️

   If you select specific rows, only those rows are exported. If no rows are selected, the entire table is exported.

   The exported file is named using the following format:
   Entitle_exported_potential_jitroles%DATE_TIME%.csv

   The CSV reflects the table content with minor differences, such as the User column containing only the user's email address and the Application column appearing only in the exported file.

   To ensure an audit trail, each export of a JIT access report is recorded in the audit logs, including the user who performed the export and the time it occurred.