Create an entitlement policy
An entitlement policy is a collection of rules. Add a rule to start creating an entitlement policy for an app. Adding a rule automatically creates a draft policy if you don't have an existing policy or haven’t added any rules. Rules allow an entitlement policy to automatically assign entitlements to users based on their profile attributes and group memberships.
Before you begin
-
Sign in as a super admin, an app admin, or an admin with the following permissions:
-
Manage applications
-
Edit application's user assignments
-
Edit groups' application assignments or Edit users' application assignments
-
-
Ensure that you're assigned to the Okta Entitlement Management application.
Start this task
- In the Admin Console, go to .
-
Search for and select an app.
-
Go to .
-
If you’re editing a policy, click Edit policy or Continue editing policy. This creates a copy of the active policy in Draft mode.
-
Click Add rule. Adding a rule automatically creates a draft policy if you don’t have any previously added rules.
-
If you’re editing a policy, click Edit policy or Continue editing policy before you click Add rule. Clicking Edit policy creates a copy of the active policy in Draft mode.
-
Enter a unique and self-explanatory name in the Rule name field.
-
Define the user scope using basic conditions or Okta Expression Language.
Method Task Basic conditions Use this method to define user scope without using Okta Expression Language.
-
Optional. Select Use basic conditions.
-
Select the attribute type as User attribute or Group membership from the dropdown menu.
-
User attribute: Select an attribute, an operator, and a value.
-
Group membership: Select groups that the user must be a member of.
Okta Expression Language Use this method to define user scope in a more customized manner using Okta Expression Language expressions.
If you've enabled the Realms feature, use this method to restrict a policy rule to users, who belong to a specific realm.
-
Select Use Okta Expression Language (advanced).
-
Enter a user-specific Okta Expression Language expression in the Users field to define the user scope. See Examples of Okta Expression Language and Okta Expression Language.
-
-
Optional. Enter a user’s name or email in the Preview User field and click Preview. This lets you check that your expression includes the user in the rule.
-
Select an entitlement and its corresponding value from the Entitlement and Value dropdown menus respectively.
-
Optional. Click + Add entitlements and repeat the previous step to add more entitlements.
-
Click Add rule to save changes and add the rule to the policy.
When you create multiple rules, Entitlement Management gives the highest priority to the last policy rule you created. You can also drag and drop rules on the Policy tab to change their priority.
If the entitlement only has one value, then the first rule that matches sets the entitlement value for the user. If the entitlement has multiple values, then the union of all rules that match sets the entitlement value for the user.
Entitlements are assigned to users based on the policy rules that you set up.
In Okta-sourced groups, entitlements are granted only when a user meets the conditions of a policy rule. If a user meets the conditions of more than one rule, that combination determines their entitlements. If their profile attributes or group memberships change and they no longer meet the conditions, the entitlements are revoked.
You can view the rules for an active policy on the Policy tab. To view the rules for a draft policy, click Edit policy or Continue editing policy on the Policy tab. Expand the dropdown associated with the rule to view the details.