Entitlements

Entitlements in Oblique allow you to grant subjects (attribute-based groups, team groups, and users) access to resources. Entitlements can have an expiration date and a justification for access. A user or group has access to a resource when they have one or more entitlements that grant access to that resource.

Learn more about entitlements Learn more about Oblique's entitlements, and how expiration works in Oblique.

Grant access

You can create an entitlement from the Request access page.

You can get there in many ways:

• Navigate directly to the Request access page. You can do this by selecting Grant access from the top level navigation menu.
• If you know the attribute-based group, team group, or user to whom you want to grant access, select Request access from their detail page. This will take you to the Request access page with the subject pre-selected.
• If you know the resources to which you want to grant access, select Request access from the resource detail page. This will take you to the Request access page with the resource pre-selected.

Caution

You cannot grant an Okta group access to an Okta app in Oblique. You can grant Oblique users and groups access to an Okta app, as well as an Okta group.

Creating a entitlement requires a request. To create an entitlement:

1. Under Subjects, select the subjects that will be granted access: an attribute-based group, team group, or user. You can select multiple subjects. Use the search field to find subjects by typing their name or display name.
2. Under Resource, select the resource that subjects should gain access to. Use the search field to find resources by typing their name or display name. You can only select one resource.
3. (Optional) Under Expiration, select a duration for the entitlement, after which it will automatically expire and the subjects will lose access. By default, this is 90 days.
4. In the Access changes section, you can preview the access changes for this request.
5. In the Review section, review the checks needed to revoke this entitlement. A reviewer is automatically selected for each check, but can be modified. Click Select reviewers to assign different reviewers, and select Add reviewer for each check that is missing a reviewer.
6. Select Create request. Optionally, to disable auto-apply for the request, click Select and then Create request + manually apply.

Once the request passes all checks and it is set to auto-apply, it is automatically applied and Oblique will create the entitlement for you. Otherwise, if there are checks that still need review, the change request will shown as Open until all checks pass. You can ask a reviewer to approve the request. If you have disabled auto-apply, once the checks pass, you can manually apply the request.

When you apply the change request, Oblique will create an entitlement that specifies access for each subject and resource pair. If the entitlement has an expiration, then it will automatically expire—for all subjects specified—at that time.

To see what entitlements an attribute-based group, team group, or user has, or which subjects have an entitlement to access a resource, go to that entity’s detail page.

Grant access to multiple subjects

You can select multiple subjects to grant them all access to the same resource with identical settings.

Grant access to multiple resources

It’s not currently possible to grant access to multiple resources at once.

If there is a set of users who need access to the same set of resources, create a team group or attribute-based group to manage more efficiently. Adding a user to a team group will automatically grant them access to the team’s resources.

Alternatively, create multiple entitlements.

Edit access

You can edit an entitlement’s expiration date, to either extend or shorten it. You can also edit an entitlement to change it from being indefinite to expiring, or vice versa. You can only edit an entitlement if it’s direct.

Editing an entitlement requires a request. For the user, team group, or attribute-based group whose access you want to edit, or the resource for which you want to edit access, navigate to their detail page:

1. Under Access, locate the entitlement you want to revoke.
2. Select More and select Edit expiration…. This will open a request form.
3. Under New expiration, select a new expiration period or date for the entitlement.
4. In the Review section, review the checks needed to revoke this entitlement. A reviewer is automatically selected for each check, but can be modified. Click Select reviewers to assign different reviewers, and select Add reviewer for each check that is missing a reviewer.
5. Select Create request. Optionally, to disable auto-apply for the request, click Select and then Create request + manually apply.

Once the request passes all checks and it is set to auto-apply, it is automatically applied and Oblique will edit the entitlement for you. Otherwise, if there are checks that still need review, the change request will shown as Open until all checks pass. You can ask a reviewer to approve the request. If you have disabled auto-apply, once the checks pass, you can manually apply the request.

When you apply the change request, Oblique will edit the entitlement.

Revoke access

Revoking an entitlement requires a request. For the user, team group, or attribute-based group whose access you want to revoke, or the resource for which you want to revoke access, navigate to their detail page:

1. Under Access, locate the entitlement you want to revoke.
2. Select More and select Revoke…. This will open a request form.
3. In the request form Preview section, you can preview the access changes for this request.
4. In the Review section, review the checks needed to revoke this entitlement. A reviewer is automatically selected for each check, but can be modified. Click Select reviewers to assign different reviewers, and select Add reviewer for each check that is missing a reviewer.
5. Select Create request. Optionally, to disable auto-apply for the request, click Select and then Create request + manually apply.

Once the request passes all checks and it is set to auto-apply, it is automatically applied and Oblique will revoke the entitlement for you. Otherwise, if there are checks that still need review, the change request will shown as Open until all checks pass. You can ask a reviewer to approve the request. If you have disabled auto-apply, once the checks pass, you can manually apply the request.

When you apply the change request, Oblique will revoke the entitlement.

If a user has multiple entitlements which grant access to the same resource, all entitlements need to be revoked to remove access.

Tip

You can only revoke direct entitlements. Indirect entitlements, such as a user’s membership in a group, are not revokable. Instead, either remove the user from the group, or revoke the group’s entitlement.

Expire access

Entitlements with an expiration date will automatically be revoked by Oblique when the expiration date is reached.

Best practices

• Use groups for access. Use attribute-based groups or team groups for access instead of individual users when possible. This simplifies entitlements and makes them more understandable.
• Limit long-lived access. Avoid granting access longer than necessary. Use expiration to automatically remove entitlements after a period of time.
• Include justifications. Provide specific, structured reasons for access requests, such as links to a bug tracker or an internal issue number. This makes it easier to understand why someone has access.
• Regularly review access. Periodically review active entitlements to remove any that are no longer needed.