Skip to content
Oblique Docs

Entitlements

Entitlements in Oblique allow you to grant subjects (attribute-based groups, team groups, and users) access to resources. Entitlements can be direct or indirect, such as when a user belongs to a group that has an entitlement. Entitlements can have an expiration date and a justification for access. A user or group has access to a resource when they have one or more entitlements that grant access to that resource.

Listings give a way to present entitlements in a more explainable way to users.

Learn more about entitlements Learn more about Oblique's entitlements, and how expiration works in Oblique.

View access

Section titled “View access”

You can view the entitlements that are related to a user, attribute-based group, team group, resource, or listing from its detail page. Admins can see both listings and their underlying resources, whereas users only see listings.

For users:

  • You can see the listings they or another user has access to, including for indirect access, on their profile page in the Access section.
  • You can see the listings they have access to in the access catalog on the Access tab. You can also see the users and groups who can access a listing on the listing detail page in the Access section.
  • You can see the listings an attribute-based group or team group has access to, including for indirect access, on their detail page in the Access section.

For Admins, in addition to viewing listings you can view entitlements for resources:

  • You can see the entitlements you have, including for indirect access, from your profile page; and the entitlements another user has on their profile page, in the Access section.
  • You can see the entitlements an attribute-based group or team group has, including for indirect access, from their detail page, in the Access section.
  • You can see the entitlements for accessing a resource, including for indirect access, from the resource’s detail page, in the Entitlements section.

To open the access graph to visualize entitlements, select View graph on a user profile or attribute-based group, team group, or resource’s detail page.

View timeline of access changes

Section titled “View timeline of access changes”

You can also view how changes to entitlements have affected access over time.

To view a timeline of access changes, go to the Access changes section on a user profile or attribute-based group, team group, resource’s, or listing’s detail page.

Each item is an event that added or removed an entitlement. Access changes only include granted or revoked access, and do not include changes that edit entitlements, such as extending an entitlement.

To see all changes in Oblique, view audit logs.

Grant access

Section titled “Grant access”

In Oblique, access to a resource is granted by creating an entitlement. There are two ways to create an entitlement: creating an entitlement directly, or creating an entitlement via a listing.

Admins can create entitlements directly, but users can’t. Instead, users request access through listings. When a role in a listing is granted, Oblique automatically creates entitlements for the resources mapped to that role.

Create an entitlement

Section titled “Create an entitlement”
You must be an Admin to create an entitlement.

You can create an entitlement from the Request access page.

You can get there in many ways:

  • If you know the attribute-based group, team group, or user to whom you want to grant access, select Request access from their detail page. This will take you to the Request access page with the subject pre-selected.
  • If you know the resources to which you want to grant access, select Request access from the resource detail page. This will take you to the Request access page with the resource pre-selected.

Creating a entitlement requires a request. To create an entitlement:

  1. Under Subjects, select the subjects that will be granted access: an attribute-based group, team group, or user. You can select multiple subjects. Use the search field to find subjects by typing their name or display name.
  2. Under Resource, select the resource that subjects should gain access to. Use the search field to find resources by typing their name or display name. You can only select one resource.
  3. (Optional) Under Expiration, select a duration for the entitlement, after which it will automatically expire and the subjects will lose access. By default, this is 90 days.
  4. In the Access changes section, you can preview the access changes for this request.
  5. In the Approval section, review the checks needed to revoke this entitlement. A reviewer is automatically selected for each check, but can be modified. Click Select reviewers to assign different reviewers, and select Add reviewer for each check that is missing a reviewer.
  6. Select Create request. Optionally, to disable auto-apply for the request, click Select and then Create request + manually apply.

Once the request passes all checks and it is set to auto-apply, it is automatically applied and Oblique will create the entitlement for you. Otherwise, if there are checks that still need review, the change request will shown as Open until all checks pass. You can ask a reviewer to approve the request. If you have disabled auto-apply, once the checks pass, you can manually apply the request.

When you apply the change request, Oblique will create an entitlement that specifies access for each subject and resource pair. If the entitlement has an expiration, then it will automatically expire—for all subjects specified—at that time.

To see what entitlements an attribute-based group, team group, or user has, or which subjects have an entitlement to access a resource, go to that entity’s detail page.

Grant access to multiple subjects

Section titled “Grant access to multiple subjects”

You can select multiple subjects to grant them all access to the same resource with identical settings.

Grant access to multiple resources

Section titled “Grant access to multiple resources”

It’s not currently possible to grant access to multiple resources at once.

If there is a set of users who need access to the same set of resources, create a team group or attribute-based group to manage more efficiently. Adding a user to a team group will automatically grant them access to the team’s resources.

Alternatively, create multiple entitlements.

Assign a role

Section titled “Assign a role”

Rather than creating entitlements or requesting resources directly, users request roles within a listing, which map to any number of resources. Assigning a role automatically creates entitlements for the resources mapped to that role.

Learn more about listings Learn more about listings.

Assigning a role requires a request. To assign a role, from the listing detail page:

  1. Select Request access.
  2. Under Listing, confirm this is the listing you are requesting.
  3. Under Subject, select the subject that will be granted access: one of your groups, yourself, or another user. You can select multiple subjects. Use the search field to find subjects by typing their name or display name.
  4. Under Role, select the role you are requesting.
  5. (Optional) Under Expiration, select a duration for the entitlement, after which it will automatically expire and the subjects will lose access. By default, this is 90 days.
  6. In the Access changes section, you can preview the access changes for this request.
  7. In the Approval section, review the checks needed to revoke this entitlement. Reviewers are automatically selected for each check, but can be modified by clicking on the reviewer list.
  8. Select Create request. Optionally, to disable auto-apply for the request, click Select and then Create request + manually apply.

Edit access

Section titled “Edit access”

Like granting access, there are two ways to edit access: Admins can edit entitlements directly, while users can only request to edit their assigned roles within a listing. Entitlements created outside of a listing can only be edited directly, and not through a listing.

You can edit an entitlement’s expiration date, to either extend or shorten it. You can also edit an entitlement to change it from being indefinite to expiring, or vice versa. You can only edit an entitlement if it’s direct.

Edit an entitlement

Section titled “Edit an entitlement”
You must be an Admin to edit an entitlement.

Editing an entitlement requires a request. For the user, team group, or attribute-based group whose access you want to edit, or the resource for which you want to edit access, navigate to their detail page:

  1. Under Access, locate the entitlement you want to revoke.
  2. Select More and select Edit expiration…. This will open a request form.
  3. Under New expiration, select a new expiration period or date for the entitlement.
  4. In the Approval section, review the checks needed to revoke this entitlement. A reviewer is automatically selected for each check, but can be modified. Click Select reviewers to assign different reviewers, and select Add reviewer for each check that is missing a reviewer.
  5. Select Create request. Optionally, to disable auto-apply for the request, click Select and then Create request + manually apply.

Once the request passes all checks and it is set to auto-apply, it is automatically applied and Oblique will edit the entitlement for you. Otherwise, if there are checks that still need review, the change request will shown as Open until all checks pass. You can ask a reviewer to approve the request. If you have disabled auto-apply, once the checks pass, you can manually apply the request.

When you apply the change request, Oblique will edit the entitlement.

Edit a role assignment

Section titled “Edit a role assignment”

You can’t currently edit a role assignment.

Revoke access

Section titled “Revoke access”

Like granting access, there are two ways to revoke it: Admins can revoke entitlements directly, while users can revoke their assigned roles within a listing. Entitlements created outside of a listing can only be revoked directly, and not through a listing.

Revoke an entitlement

Section titled “Revoke an entitlement”
You must be an Admin to revoke an entitlement.

Revoking an entitlement requires a request. For the user, team group, or attribute-based group whose access you want to revoke, or the resource for which you want to revoke access, navigate to their detail page:

  1. Under Access, locate the entitlement you want to revoke.
  2. Select More and select Revoke…. This will open a request form.
  3. In the request form Preview section, you can preview the access changes for this request.
  4. In the Approval section, review the checks needed to revoke this entitlement. A reviewer is automatically selected for each check, but can be modified. Click Select reviewers to assign different reviewers, and select Add reviewer for each check that is missing a reviewer.
  5. Select Create request. Optionally, to disable auto-apply for the request, click Select and then Create request + manually apply.

Once the request passes all checks and it is set to auto-apply, it is automatically applied and Oblique will revoke the entitlement for you. Otherwise, if there are checks that still need review, the change request will shown as Open until all checks pass. You can ask a reviewer to approve the request. If you have disabled auto-apply, once the checks pass, you can manually apply the request.

When you apply the change request, Oblique will revoke the entitlement.

If a user has multiple entitlements which grant access to the same resource, all entitlements need to be revoked to remove access.

Revoke a role

Section titled “Revoke a role”

Revoking a role requires a request. To revoke a role, from the listing detail page:

  1. Under Access, locate the entitlement you want to revoke.
  2. Select More and select Revoke…. This will open a request form.
  3. In the Access changes section, you can preview the access changes for this request.
  4. In the Approval section, review the checks needed to revoke this role. A reviewer is automatically selected for each check, but can be modified. Click Select reviewers to assign different reviewers, and select Add reviewer for each check that is missing a reviewer.
  5. Select Create request. Optionally, to disable auto-apply for the request, click Select and then Create request + manually apply.

Once the request passes all checks and it is set to auto-apply, it is automatically applied and Oblique will revoke the role for you. Otherwise, if there are checks that still need review, the change request will shown as Open until all checks pass. You can ask a reviewer to approve the request. If you have disabled auto-apply, once the checks pass, you can manually apply the request.

When you apply the change request, Oblique will revoke the role.

Expire access

Section titled “Expire access”

Entitlements and role assignments with an expiration date will automatically be revoked by Oblique when the expiration date is reached. This includes the expiration of role assignments.

Best practices

Section titled “Best practices”
  • Use groups for access. Use attribute-based groups or team groups for access instead of individual users when possible. This simplifies entitlements and makes them more understandable.
  • Limit long-lived access. Avoid granting access longer than necessary. Use expiration to automatically remove entitlements after a period of time.
  • Regularly review access. Periodically review active entitlements to remove any that are no longer needed.