Birthright policies | Entitle Pathfinder

Overview

Entitle birthright policies are sets of rules that automatically manage employees’ birthright permissions, allowing a group of employees to be entitled to a set of birthright permissions.

When an employee joins the group, e.g., upon joining the organization, they will be automatically granted the permissions defined for the group, and upon being removed from the group, e.g., leaving the organization, the permissions will also be automatically removed.

This page will provide you with step-by-step instructions on how to use Policies in Entitle.

1. Policies table: This table presents all existing policies within the tenant. The columns from left to right are:
   1. Group: Displays the groups to which the policies grant access.
   2. Role: Displays the roles to which the policies grant access.
   3. Bundle: Displays the bundles to which the policies grant access.
2. Add policy: Create a new policy. For details, see Set up Entitle policies in this guide.
3. Search: Find policies based on:
   • Group
   • Integration
   • Resource
   • Role
   • Bundle
4. Filter: Filter your table view by:
   • IdP group
   • On call
   • Integration
   • Resource
   • Role
   • Policy ID
   • Bundle
5. Prioritize policies: Permissions for conflicting roles are given based on the priority of the policy. To modify the priority, drag the chosen policy using the grip icon. The higher the policy, the higher the priority.
6. Edit/Delete policies: Click the vertical ellipses at the right to access the Edit and Delete options.
   1. Edit: Click the pencil icon. Make your changes, and when you are done, click Save.
   2. Delete: Click the trash icon, and in the pop-up screen click Delete policy. This action will remove the permissions that the specific users within the selected groups had through this policy.

      ℹ️

      It is recommended that when deleting a policy, remove the roles/bundles from the policy first, and then proceed to delete it.

ℹ️

Hovering over the different components within the policies table will provide you with further information on the groups, bundles, and roles.

Set up Entitle Policies

1. Navigate to the Policies screen and click the Add Policy button in the top-right corner.

2. In the pop-up screen, you will need to choose the following details for your new policy:

   

   1. Groups and Schedule (Number 1): Select your chosen groups and/or schedules from the list - you can choose as many as you wish**. Note:** The groups that can be chosen are identity providers and on-call groups. You can see the detailed lists of each group under the Org settings page.

   2. Next, choose whether you want the policy to give access to roles, bundles, or both.

      1. Give access to roles (Number 2): Click the Add Role button on the right side, then choose the Integration, resource, and role you wish to add.

         • If you encounter the "No roles available" message, consider the following:

         This message appears for roles created by an Admin in a Virtual Application that are connected to roles that cannot be requested or received under these circumstances:

         • The integration has been deleted.
         • Can_update_permissions is set to false and can_create_actors is set to true.

         As a result, when an Admin attempts to set up a Policy using that Virtual Application, these roles will not be visible. If only one role exists when an Admin accesses the Add role field, it will display "No roles available."

      2. Give access to bundles (Number 3): Click the Add Bundle button on the right side, then choose the Bundle Name from the list.

      3. To add multiple roles or bundles, click the Add Role or Add Bundle button each time.

3. Finally, click Apply. You should now be able to see the new policy you just created in the original Birthright policies screen.

Changes in Policies

Any change made in the system is documented in the Audit logs screen, including changes in policies; e.g., changes in the policy’s content through creating, editing, or deleting policies, as well as changes in the policy’s permissions.

Triggers for Policies

The policies are applied once a day; however, any of the following changes will be applied immediately: creating, editing, or deleting policies, reordering the policies, changes in the on-call groups, and changes in the IdP groups.

Troubleshooting

Birthright policy sync issue

A Birthright policy automatically assigns roles to users who belong to a specified group. In some cases, a user is in the correct group but does not get the specified role. To resolve this issue, follow the steps below:

Identify the issue

1. Navigate to the Audit logs screen in Entitle.

2. Download the logs as a CSV file.

3. Search for the user’s ID, which is available on the user’s profile page. For example:

   

4. Look for the following action in the CSV file: OrganizationPolicyPermissionsUpdatesMissingAccounts.

Add the user’s integration account

1. Navigate to the user’s page in Entitle.

2. Select Add integration.

3. Choose the integration used in the Birthright policy.

4. Select the user’s account.

   

ℹ️

If the user's associated account is not listed, it may not have synced to Entitle yet:

1. Confirm the user has an account in the integration application.
2. In Entitle, open the integration and select Sync. After 10 minutes, recheck the user's page to confirm the account has been added.

Resync the Birthright policy

If the user still does not receive the role, proceed with one of two options:

1. Option 1: Recreate the Birthright policy.
2. Option 2: Re-order the Birthright policies by dragging them in the Birthright policies
   screen and changing their hierarchy.