Manage user entitlements

You may need to review or edit an individual user's entitlements. This could occur if the user's project assignment changes, they need access to entitlements for a short interval, or they no longer need access to certain entitlements.

Before you begin

  • Sign in as a super admin, an app admin, or an admin with the following permissions:

    • Manage applications
    • Edit application's user assignments
    • Edit groups' application assignments or Edit users' application assignments
  • Enable Entitlement management for the app and create entitlements, if you haven't already done so.
  • Ensure that the app is assigned to the user.

  • Optional. Enable the Access requests conditions and Resource catalog feature to view or change user's access expiration for the entitlements and apps.

Start this task

  1. In the Admin Console, go to ApplicationsApplications.

  2. Select an app.

  3. Go to the Assignments tab.

  4. Open the options menu associated with the user.

  5. Click View entitlements or View access details.

  6. On the Entitlements panel, click Edit or Edit access, or if you enabled the Additive Entitlements EA feature, click Manage access.

  7. Optional. Remove entitlement bundles that Access Requests assigned to the user.

  8. Early Access release. See Enable self-service features.

    Optional. If you enabled the Additive Entitlements EA feature, you can remove an individual entitlement by clicking the X beside the entitlement. Click Revoke entitlement on the dialog that appears. Repeat this step to remove more individual entitlements.

  9. Select from one of the following options. The available options vary depending on the existing entitlement assignment method.

    • Apply policy
    • Revert to policy

      Reverting to policy removes all existing entitlements and bundles for the user. Policy rules are then used to govern the user's entitlements. If the user's profile attributes meet the conditions of policy rules, entitlements are assigned to the user.

      Click Revert to confirm.

    • Customize entitlements

      Select this option to assign individual entitlements to users. When you customize entitlements, the following occurs:

      • All existing entitlement assignments are removed.
      • Policy rules no longer apply to this user. The user can request bundles using Access Requests later.

      Choose from the available entitlement values to assign entitlements to the user, and then click Save.

    When you change the assignment source, Okta also resets the app expiration for the user and sets the expiration to never expire.

  10. Optional. Click Edit associated with Access expires to update the duration of user's access to the app. Follow the prompts in the UI to set the access duration and click Save. It may take a few minutes after the expiration for Okta to revoke the user's access.

    The app access expiration that you set must not be less than the access expiration of any entitlement bundles assigned to the user.

Related topics

Identity Governance Reports