Considerations and limits

Keep the following guidance in mind before using Entitlement Management:

  • Entitlement Management only supports applications as a resource.

  • System Log events may be inaccurate if enabling Governance Engine failed for an app.

  • For provisioning-enabled apps, you can only enable Governance Engine for app instances if you haven't enabled provisioning for them.

  • Enable Create Users and Update User Attributes for a provisioning-enabled app that has Governance Engine and provisioning enabled. These settings to ensure that entitlements are assigned accurately. Set these options in the To App section under Settings on the Provisioning tab of the app instance.

  • Create a new app instance and enable Governance Engine to use entitlement policies effectively. Enabling Governance Engine for existing app instances marks the existing user's assignments as Custom. Policies that you create for an existing app instance only apply to new users assigned to the app.

  • Entitlement assignment by policy rules is effective for Okta-sourced groups only. If a user's membership of a non-Okta-sourced group changes, their entitlements assigned by the policy aren't updated.

  • You can't assign entitlement bundles to users directly from the Admin Console. You must set up Request Types so your users can request access to entitlement bundles from Access Requests. Alternatively, you can use APIs to assign bundles to users. See Okta Identity Governance API.

  • Entitlement Management doesn't use or enforce the Timer setting in Access Requests.

  • Entitlement Management doesn't support mandatory entitlements.

  • Access Requests doesn't support requests for apps with required entitlements or attributes.

  • Assigning bundles using an entitlement policy isn't supported.

  • The Self Service section on the app's profile page is unavailable if the app has Governance Engine enabled.

Supported applications for Entitlement Management

Application Type

Supported

Template Apps

OIDC (without Federated Broker Mode)

Yes

OIDC (with Federated Broker Mode)

No

SCIM

Yes

SAML

Yes

Bookmark

No

SWA

No

OIN Apps

Provisioning-enabled apps with Universal Directory (UD) attributes

Limited

See Apps with entitlement support.

Provisioning-enabled apps without UD attributes

Yes

Apps without provisioning enabled

Yes

SWA

No

API Services App

n/a

No

Entitlement limits

Component

Maximum

Entitlements in an org

10,000

Entitlement values in an org

150,000

Entitlements in a bundle

100

Entitlement bundles in an org

1,000

Number of entitlement policy rules for a third-party application

100

Related topics

Provisioning-enabled app limits

Get started with Entitlement Management