Custom entitlements

Next to internal entitlements for controlling authorization within the application, custom entitlements can be crafted for:

structuring authorization roles
controlling provisioning logic

Authorization roles can be attached to entitlements via the authentication module.

E.g the permission READ ORGANISATION can be linked to entitlement A

Provisioning logic can be attached to entitlements by linking provisioning units to the entitlement.

Designing entitlements

It is a good approach to have a catalog of all the entitlements, their properties and the dependency on the target systems before you start.

One should try to have the smallest amount of entitlements possible by grouping and bundling.

Instead of creating a specific role for GIT access for example, one could think instead to create a entitlement 'Developer' that bundles all access a developer should have.

Name and code

Try to give the entitlement a name that covers the function of the entitlement.

A code is used for technical reasons.

Properties

Entitlement properties are used for requesting input or choice when assigning the entitlement or used in a provisioning context.

Provisioning units

This concept is added to the entitlement to trigger provisioning towards specific target systems.

Transformers can be used to model the content that is provisioned.

Prerequisites

Think also about the prerequisites.

Do you need another entitlement assignment to be present before you can have this entitlement?

Is the entitlement only assignable in the context of a specific organisation or organisation type?