Entitlement policy
An entitlement policy allows you to automatically assign entitlements to your users based on their latest profile attributes and group memberships, which improve the security of your org. Entitlement policies also enable you to simplify your Universal Directory setup because you no longer need to use groups to govern user application entitlements.
Each application can only have one active entitlement policy. However, you can create multiple rules within a policy that govern how the entitlements are granted to your users. Use the user-specific Okta Expression Language expressions to create rules.
Keep the following considerations in mind to use policies effectively:
-
When you create multiple rules, Entitlement Management gives the highest priority to the last policy rule you create. You can also drag and drop rules on the Policy tab to change their priority.
-
If the entitlement only has one value, then the first rule that matches sets the entitlement value for the user. If the entitlement has multiple values, then the union of all rules that match sets the entitlement value for the user.
-
By default, when you first add a rule, it creates a draft policy. After creating rules, you can preview how the policy will impact entitlement assignments for users before you apply the policy to activate it.
-
Editing a policy creates a draft copy of the active policy where you can make changes without affecting users immediately. You must apply the policy to set it to active.
You can't edit an active policy directly. After you create a policy for an application and apply it for the first time, the app must always have an active policy.