Skip to content
Oblique Docs

Entitlements

Entitlements in Oblique allow you to grant subjects (attribute-based groups, team groups, and users) access to resources. Entitlements can have an expiration date and a justification for access. A user or group has access to a resource when they have one or more entitlements that grant access to that resource.

Learn more about entitlements Learn more about Oblique's entitlements, and how expiration works in Oblique.

Grant access

Section titled “Grant access”

You can create an entitlement from the Grant access page.

You can get there in many ways:

  • Navigate directly to the Grant access page. You can do this by selecting Grant access from the top level navigation menu.
  • If you know the attribute-based group, team group, or user to whom you want to grant access, select Grant access from their detail page. This will take you to the Grant access page with the subject pre-selected.
  • If you know the resources to which you want to grant access, select Grant access from the resource detail page. This will take you to the Grant access page with the resource pre-selected.

To create an entitlement:

  1. Under Subject, select the subject that will be granted access: an attribute-based group, team group, or user. You can select multiple subjects. Use the search field to find subjects by typing their name or display name.
  2. Under Resource, select the resource that subjects should gain access to. Use the search field to find resources by typing their name or display name. You can only select one resource.
  3. (Optional) Under Expiration, select a duration for the entitlement, after which it will automatically expire and the subject will lose access. By default, this is 90 days.
  4. (Optional) Under Justification, enter a clear justification explaining why access is needed. This helps explain entitlements which require approval, and helps when auditing entitlements as part of user access reviews.
  5. On the right hand side, preview the impact of your change to see how access will change with this entitlement. You can see how access will change, and the configuration for the entitlement.
  6. Select Grant access.

After submitting, an entitlement is created that specifies access for each subject and resource pair. If the entitlement has an expiration, then it will automatically expire—for all subjects specified—at that time.

To see what entitlements an attribute-based group, team group, or user has, or which subjects have an entitlement to access a resource, go to that entity’s detail page.

Grant access to multiple subjects

Section titled “Grant access to multiple subjects”

You can select multiple subjects to grant them all access to the same resource with identical settings.

Grant access to multiple resources

Section titled “Grant access to multiple resources”

It’s not currently possible to grant access to multiple resources at once.

If there is a set of users who need access to the same set of resources, create a team group or attribute-based group to manage more efficiently. Adding a user to the team will automatically grant them access to the team’s resources.

Alternatively, create multiple entitlements.

Edit access

Section titled “Edit access”

You can edit an entitlement’s expiration date, to either extend or shorten it. You can also edit an entitlement to change it from being indefinite to expiring, or vice versa. You can only edit an entitlement if it’s direct.

For the user, team group, or attribute-based group whose access you want to edit, or the resource for which you want to edit access, navigate to their detail page:

  1. Under Access, locate the entitlement you want to revoke.
  2. Select the More and select Edit expiration….
  3. Confirm you want to edit the entitlement and select Save.

Revoke access

Section titled “Revoke access”

For the user, team group, or attribute-based group whose access you want to revoke, or the resource for which you want to revoke access, navigate to their detail page:

  1. Under Access, locate the entitlement you want to revoke.
  2. Select the More and select Revoke….
  3. Confirm you want to revoke the entitlement and select Revoke.

Oblique will revoke the entitlement and sync any changes to the integration.

If a user has multiple entitlements which grant access to the same resource, all entitlements need to be revoked to remove access.

Expire access

Section titled “Expire access”

Entitlements with an expiration date will automatically be revoked by Oblique when the expiration date is reached.

Best practices

Section titled “Best practices”
  • Use groups for access. Use attribute-based groups or team groups for access instead of individual users when possible. This simplifies entitlements and makes them more understandable.
  • Limit long-lived access. Avoid granting access longer than necessary. Use expiration to automatically remove entitlements after a period of time.
  • Include justifications. Provide specific, structured reasons for access requests, such as links to a bug tracker or an internal issue number. This makes it easier to understand why someone has access.
  • Regularly review access. Periodically review active entitlements to remove any that are no longer needed.